Breach, Threat Management, Data Security

“Paradise Papers” breach reveals offshore tax secrets, U.S. commerce secretary’s Russian ties

A trove of leaked documents known as the Paradise Papers -- many of which were lifted in a 2017 data breach of offshore law firm Appleby -- was made public this weekend, revealing how wealthy individuals and corporations strategically use tax havens to their advantage.

Covered extensively by German newspaper Süddeutsche Zeitung as well as the International Consortium of Investigative Journalists (ICIJ) on Sunday, the Paradise Papers consist of 13.4 million records, including emails, loan agreements and bank statements, that contain sensitive financial information pertaining to highly prominent and influential figures. Among them are England's Queen Elizabeth II; Canadian Prime Minister Justin Trudeau's chief fundraiser Stephen Bronfman; and more than a dozen individuals linked to President Donald Trump, including advisers, Cabinet members, and major donors.

The ICIJ noted that the use of offshore tax havens is not inherently illegal. However, the organization adds, "the built-in secrecy attracts money launderers, drug traffickers, kleptocrats, and others who want to operate in the shadows." Moreover, "Offshore companies, often 'shells' with no employees or office space, are also used in complex tax-avoidance structures that drain billions from national treasuries."

Notably, the papers shed light on another tie between a key Trump political appointee and Russia. Specifically, the ICIJ reported via its website that U.S. Secretary of Commerce Wilbur Ross owns a stake in Navigator Holdings, a shipping company that since 2014 has received more than $68 million in revenue from Kremlin-linked energy company Sibur, which is owned Russian President Vladimir Putin's son-in-law, Kirill Shamalov.

“There's nothing whatsoever improper about Navigator having a relationship with Sibur,” said Ross in an interview that the BBC published via Twitter. “The fact that [Sibur] happens to be called a Russian company does not mean there's any evil in it.” Politico also reported that a Ross spokesman said the commerce secretary never met the Sibur owners in question and that he had recused himself from such matters.

Meanwhile, NBC News has reported that although Ross claims he properly disclosed his Russian business ties to Congress, the ICIJ report asserts the information he provided was incomplete and therefore misleading.

The ICIJ said that in addition to Appleby, the leaked documents also were sourced from Estera, a corporate services provider that previously operated in conjunction with Appleby, as well as from "19 corporate registries maintained by governments in jurisdictions that serve as way stations in the global shadow economy."

The Paradise Papers has already been compared to the 2015 Panama Papers leak, which resulted from the data breach of law firm Mossack Fonseca. 

"...Beyond the shock factor of the leaked data itself, what's more alarming is the depth and magnitude of this breach. Law and accounting firms should raise the alarm when it comes to their firm's cybersecurity rigor," said Mark Sangster, VP and industry security strategist at cybersecurity company eSentire, in emailed comments.

While the mechanics of the breach itself have yet to be revealed, this was clearly a targeted attack," Sangster continued. "Law and accounting firms are particularly susceptible to ethical hacking and really, every firm should assume they'll be breached... These firms house a treasure trove of sensitive data that, when compromised, can result in sometimes irrecoverable damage.”

Ilia Kolochenko, CEO of web security company High-Tech Bridge, agreed that law firms are an attractive target for cybercriminals. "Hacking of their clients is quite costly, will likely be detected and investigated, and almost certainly will cause very serious counteractions," said Kolochenko, in emailed comments. "It may be a good moment to think about imposing obligatory data security standards on law firms and practicing attorneys. Their data deserves at least the same level of protection as data of companies under PCI, DSS or HIPAA compliance. Otherwise, visiting attorneys will become a very risky practice."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.