For over a year, more than 400 reporters have been inspecting terabytes of data originating from Panama-based law firm Mossack Fonseca. This “Panama Papers” data has turned out to be the greatest data leak in history, outperforming any similar data dump to date. Coming all from a whistleblower at Mossack Fonseca, the leak includes more than 4.8 million emails, 3 million database files, and 2.1 million PDF files, amounting to more than 2.6 terabytes of information.
Why is the leak important? Because it details the shady tax-evading business practices of various public figures for whom Mossack Fonseca helped create shell companies that were used to hide assets and money.
And it turns out all this data came from a single person who used increased protection to hide his or her identity and to siphon a large amount of data. Here’s how it happened.
DON’T MISS: Video reveals hidden Tesla Model 3 details
Before the DC-based International Consortium of Investigative Journalists released the news on Sunday with the help of more than a hundred media outlets from around the world, it was a single publication that stumbled across the information.
As Wired explains, Suddeutsche Zeitung reporter Bastian Oberway was contacted in late 2014 by a source who wanted to expose these practices. The reason the whistleblower chose Oberway is pretty simple actually: The Suddeutsche Zeitung did report on a smaller leak of Mossack Fonseca files to German government regulators.
The source told the reporter that his or her “life is in danger” and was willing to communicate only via encrypted channels, refusing real-life meetings. The source was able to provide more data than Obermayer “has ever seen,” he told Wired.
The reporter and his source conducted numerous interviews, using a series of encrypted channels that were frequently changed. The history of previous exchanges would be deleted before a new discussion. Obermayer didn’t name any apps in particular but suggested that apps such as Signal and Threema and PGP-encrypted mail may have been used.
Furthermore, the two parties would use a simpler “encryption” method. They would always initiate a chat with a known question and answer to reauthenticate each other. “I’d say ‘is it sunny?’ You’d say ‘the moon is raining’ or whatever nonsense, and then both of us can verify it’s still the other person on the device,” Obermayer explained.
After seeing some of the documents, the paper contacted the ICIJ, which then coordinated the press action on the matter.
Meanwhile, the shipments of data continued. It’s not clear how the source sent gigabytes or even terabytes of information at a time.
“I learned a lot about making the safe transfer of big files,” Obermayer said.
One way to send that much data, in addition to online services that allow fast data transfer, is the use of encrypted hard drives that can then be sent over to a third party.
Ultimately, Obermayer never found out who the leaker was.
“I don’t know the name of the person or the identity of the person,” Obermayer said. “But I would say I know the person. For certain periods, I talked to [this person] more than to my wife.”
The ICIJ then set up a two-factor-authentication-protected search engine for the data, which accredited reporters from news outlets across the word would be able to access, complete with a chat app that would allow cooperation between them.
The full leaked database has not reached the public, and it’s likely that it’ll never be leaked though stories may come out of it in the foreseeable future.
Meanwhile, Mossack Fonseca has acknowledged the data breach, according to a leaked email sent to customers, though it’s not clear how the data was extracted from the firm’s network.