I read today in infosecurity magazine that the law firm Appleby whose tax-sheltering habits are currently splattered all over the news, thanks to a massive leak of internal data; have claimed that a) the attack was apparently a sophisticated professional-grade hack and b) there was no evidence of data having left their systems.

I laughed out loud

Apparently, a team of professional computer forensics geeks have been unable to identify how the data was exfiltrated. Fair enough actually; it’s entirely possible that Appleby had no access controls or security logging in place (this is very common since such things require time, money, effort and thought to set up, corporate enthusiasm for that sort of thing is usually pretty scarce) and so there was simply no breadcrumb trail to follow. This has led them to conclude that a devilishly clever outside actor was responsible rather than a leak from some git on the inside. *Sceptical face* – it’s far more likely that an intrusion would leave traces than an internal misuse of privileged access would. (I guess their insurance covers being hacked but not being stitched up by one’s own workforce #cynicalsmirk)

But wait a minute…..no evidence that data was exfiltrated clearly does not mean that no data was exfiltrated…… The data has been passed to a variety of media outlets, it has definitely escaped somehow.

This is an important point – how often, after a reported data leak/loss/hack/etc have we heard a statement from the organisation affected that they have “no evidence” that any data was exposed, misused or extracted? (Rhetorical question; they all say that). The absence of evidence is not evidence of absence and such claims should to be taken to mean only that the organisation has limited information as to what really happened to the data. No-one should take reassurance from an open declaration of cluelessness.

The other point; about the sophistication of the tactics used to nab the data is that everyone also claims that every information security breach is a sophisticated attack – even when most of them turn out to be teenagers operating from their bedrooms, or result from an unwittingly obliging senior exec clicking on the wrong link or email attachment. I’m not saying that this particular depth charge wasn’t a high-tech military-grade IT Ninja attack…..only that such things are awfully rare and largely unnecessary thanks to the laxity of infosec controls in most places.

Anyway, if I were wealthy enough to make using offshore tax avoidance schemes worthwhile, I would probably demand a full infosec audit report from any law firm I was considering handing my data over to…..