It's difficult to imagine that the information the ICIJ financial exposé was based upon was leaked by insiders. Protected information was obtained from so many different, unrelated sources over such a concurrent period of time that it's easy to imagine that government actors or large-scale hacking organizations must have been involved.
According to Wikipedia, The International Consortium of Investigative Journalists (ICIJ), is an independent global network of 280 investigative journalists and over 100 media organizations spanning more than 100 countries. It is based in Washington, D.C. with personnel in Australia, France, Spain, Hungary, Serbia, Belgium and Ireland.
The Pandora Papers was merely the latest in a string of large-scale data intrusions illuminating the financial behaviors of the financial elite and was released by the ICIJ. Prior to its release, in October 2021, media organizations reported on the Panama Papers, the Paradise Papers, the FinCEN Files, LuxLeaks, Swiss Leaks, Mauritius Leaks, and a host of smaller troves of financial records.
The Pandora Papers alone contained some 12 million documents taken from more than a dozen organizations, including financial services providers like Trident Trust Company Limited, Alpha Consulting Limited, Asiaciti Trust, and international law firms like Alcogal (Alemán, Cordero, Galindo & Lee).
Firms like these tend to follow strict information security protocols, both to protect their clients' privacy and to comply with applicable law in the countries where they do business. Moreover, some of the firms involved, including Algocal, investigated thoroughly yet could not determine the source of the leak. In other words, whoever obtained the information did so in a manner so sophisticated that it left no apparent trace.
This raises an important and perhaps disturbing question. If major international financial and legal services providers with such stringent security can suffer from data incidents like the Pandora Papers, what hope do the rest of us have to protect ourselves in the digital realm?
Assigning Blame for Leaks of Sensitive Information
So, who is to blame for the Pandora Papers?
Alcogal released a statement saying "We reiterate that any alleged information from our clients was extracted illegally". So far, no one with the possible exception of the ICIJ, knows who extracted the information, or how. Cybersecurity experts who've spent time with the problem certainly have theories about who could be responsible. While the operation appears to be quite sophisticated, there's no shortage of people and parties who benefit from the release of sensitive financial and legal information about the global elite.
What we do know is that the digital realm is populated by forces that are very good at getting what they want - and equally good at concealing their activities. Some of the world's most powerful people know this better than most.
Russian President Vladimir Putin famously avoids SMS messaging (texting) because he doesn't know who could be listening and isn't confident that his own cyberdefenses are adequate to ward off those listeners. According to reports, former German chancellor Angela Merkel unwittingly used a phone bugged by U.S. intelligence for years, although investigations into the matter ended inconclusively.
Meanwhile, we hear about high-profile attacks on large, economically critical firms every month. In the first half of 2021, JBS - one of the world's largest food producers - suffered a days-long outage due to a ransomware attack. Something similar happened to Colonial Pipeline, a midstream petrochemicals firm critical to the eastern United States' fuel supply.
These attacks were likely perpetrated by loosely affiliated international organized criminal groups. Many think of these groups as the digital equivalent of street gangs who extract tribute from shop owners and dole out corrupt payments to local officials. But from a technical perspective, they're far more sophisticated. They're capable of overwhelming the most sophisticated cyber defenses to get what they want - usually a cryptocurrency payoff that can be very difficult to trace.
Many Possible Vectors for Stolen Information
These international criminal organizations aren't the only bad actors in the digital realm. There are many other possible perpetrators of leaks like the Pandora Papers.
The most intriguing possibilities involve nation-state actors. Every major country - and some smaller rogue countries, like North Korea - employs elite computer technicians, usually within intelligence agencies. These technicians play two roles: shoring up the state's cyber defense and sharpening its offensive cyber capabilities. It's been happening for a long time. Back in 2014 an article stemming from the Edward Snowden archives illustrated how agencies such as Britains' Joint Threat Research Intelligence Group used "dirty tricks" to destroy the credibility and reputations of various groups and individuals. In fact you can view their playbook here.
These agencies and actors have different motives, but the goal is generally to achieve geopolitical advantage by embarrassing or weakening adversaries. For example, Russia's efforts to influence the United States' electoral process have been well-documented, as has the joint Israeli-U.S. campaign to sabotage the Iranian nuclear program.
Some nation-state actors are motivated by money. North Korea's cyber forces - among the world's best - devote much of their efforts to executing sophisticated, high-payoff ransomware attacks to raise money for the country's ruling regime.
Regardless of their motivation, all nation-state cyber forces have at least one thing in common: They are very good at what they do. If they want something, they often tend to get it. It's therefore exceedingly difficult for individuals and organizations to deter them. And because they often leave no trace of their activities after the fact, it's often difficult to conclusively blame them for the disruptions they cause.
Was the CIA Involved?
One of the most provocative theories about the Pandora Papers' origin involves the CIA or other U.S. intelligence agencies. There's an abundance of circumstantial evidence for this possibility:
Very few U.S. individuals or corporations are named in the documents, despite the fact that many wealthy Americans use offshore accounts and entities to reduce their tax obligations.
Russian nationals comprise a disproportionate share of named individuals. The list includes more than 50 Russia-based billionaires and about 20 Russian politicians and officials, notably Vladimir Putin himself. Russia, of course, is a major U.S. adversary.
Other aspects of the release appear designed to create political leverage for the U.S. government, notably with respect to the Ukrainian government's anti-corruption campaign.
The Pandora Papers follow a pattern similar to other major financial leaks, including the Panama Papers, and bear the historic hallmarks of U.S. intelligence operations.
To be sure, the "CIA involvement" theory remains speculative. And due to the technical sophistication of the U.S. intelligence community's cyber forces, it's unlikely that we'll ever know for sure unless another Edward Snowden-like whistleblower appears.
Was It an Insider Attack?
Another possibility that does not necessarily require direct government involvement is that the Pandora Papers (and perhaps similar leaks in the past) was the work of a coordinated network of insiders.
Because they're perpetrated by trusted individuals with access to sensitive data, insider attacks are notoriously difficult to anticipate and defend against. Insiders working in coordination with advanced cyber technicians can obtain vast quantities of information without revealing their activities in real time. Often, nothing seems amiss until the information appears in public, at which point it's much too late for the affected organizations to prevent its dissemination.
If this sounds implausible, recall that the Pandora Papers is a vast trove of information stolen from a fairly small number of organizations - about a dozen. While more than 600 journalists analyzed and reported on this information, a much smaller number of insiders - perhaps as few as one or two per affected firm - would be required to obtain it in the first place. But what are the odds of a coordinated leak by insiders from within even a dozen tight-knit financial organizations?
Beyond Prevention: Defending Against Data Incidents Before and After They Occur
Regardless of who bears responsibility for damaging leaks like the Pandora Papers, it's clear that the typical individual or organization cannot mount a truly watertight defense - no matter the resources at their disposal.
While information security best practices are essential to prevent less sophisticated attempts to obtain sensitive information, elite cyber forces are not so easily deterred. Anyone concerned about their exposure should treat leaks as inevitable: a matter of "when," not "if." Luck can hold for a long time, but eventually it runs out.
When it does, affected organizations must be prepared not just to respond to the public outcry but to steer the conversation in a more productive direction. This requires a comprehensive strategy that contextualizes potentially sensational reporting and establishes an honest and persuasive counter-narrative. Key response elements might include:
Emphasizing that the affected party is likely to be constrained in what they can say about the leak by legal and ethical obligations. Stress that the origin of the leaks demands a thorough investigation followed by appropriate law enforcement action if warranted - one that raises the cost to the perpetrators of future leaks.
Reminding the public that these data incidents contain vast amounts of illegally obtained, highly confidential material that's often presented without appropriate context. Whereas much of the activity described in these leaks is wholly within the bounds of international law, the leaks themselves are not - they are theft.
Explaining that financial activities and behaviors are not illegal simply because they appear in illegally obtained document releases. Reports of these leaks do precious little to distinguish between appropriate behaviors and legitimate violations of international law. This one can be challenging due to a byzantine patchwork of local and regional laws.
Providing clear, simple explanations of the legal frameworks governing international tax and asset protection strategies. If tax policy weren't so complex, there would be no market for illegally obtained financial information and breathless reporting thereof.
Advocating for balanced, collaborative policy responses, such as multilateral tax reform. Law-abiding taxpayers deserve to know that the laws they follow cannot be abused by others.
Fiercely defending the reputations of clients and associates who did nothing wrong. The implication that any individuals mentioned in the leaks must be breaking the law is devastating to the reputations and livelihoods of those who did nothing wrong.
This might be an uphill battle; sensationalism sells. But the truth is always worth defending.
We may never know how the parties responsible for the Pandora Papers came into possession of some 12 million sensitive financial and legal documents. We do know the following:
Some of the affected firms could find no evidence of system compromise. Statements by firms like Alcogal suggest that the forces responsible used sophisticated techniques to cover their tracks or obtained the information by other means, such as disgruntled insiders.
Many individuals and entities are capable of obtaining sensitive digital information. This list includes well-resourced rogue cybercriminals, international organized criminal organizations, and cyber units housed within state intelligence agencies.
Leaks of this nature are illegal. While reporting on the financial behaviors of the rich and powerful is not illegal, obtaining confidential business and personal records is.
Data incidents like the Pandora Papers are probably inevitable. The Pandora Papers will not be the last leak of its kind. Anyone concerned about sensitive information coming to light should first recognize that no cyberdefense is 100% effective and that determined forces - especially those affiliated with nation-states - generally get what they want.
Individuals and organizations concerned about their exposure need a response plan. Given the above, a comprehensive post-leak response plan is vital. This plan needs to be customized to the affected parties' needs and should be as much about public positioning and reputational defense as attacking the substance of the leak. Individuals and entities that consistently follow applicable international law need to make that clear if they don't want to be associated with bad actors who abuse the system.