Disclaimer:This post is made based on assumptions and other comments made in online forums threads and none of this should be considered as true, but we want to show the importance of the points mentioned below.
To enter context, if you do not know which is the case of Mossak Fonseca, read the following link (Spanish): http://www.prensa.com/judiciales/Claves-entender-caso-Mossack-Fonseca_0_4404309643.html
In summary, the Case Mossack Fonseca, aka "Panama Papers" is the biggest data breach in history and includes more than 4.8 million emails in addition to other documents.
It is believed that Mossack Fonseca mails were obtained through a Wordpress site and gained access to documents through a Drupal portal. Reference here.
In this post we'll talk about what could have happened with Drupal. As mentioned by a client of the firm in their portal: https://portal.mossfon.com/
And here is the description:
"The Mossfon Client Information Portal is a secure online account that enables to access your corporate information anywhere and everywhere, with real time updates of your ongoing request."
The Drupal version that the site was running at the time they allegedly were attacked was Drupal 7.23. at that time it had already been reported 23 vulnerabilities and right now currently stands at 31:
This is just the core of Drupal, not counting vulnerabilities that could be in the contributed modules.
It was very easy to see that Drupal was in that version because it was possible to access the site changelog on the link:
Which is now returning Forbidden, but here is a screenshot:
But apparently they only blocked this file and other files that revealed information such as INSTALL.txt:
These are basic files that come in all Drupal installation and should be protected or removed. For this reason it is very possible that Drupal has been one of the points of entry of this major breach.
Programmers are not perfect and it is expected that a published software may have security flaws are at some point. This occurs in all types of software; operating systems, web platforms (Remember the celebrity icloud breach?), mobile, desktop apps, etc.
Specifically Drupal, is a platform that behind has a community that takes safety seriously enough and has a team dedicated to safety, Drupal Security Team which programmers supports and resolve security issues related to Drupal.
Recently on the Drupal.org site included a new feature that displays a shield icon in the contributed modules, this means that that version of the module was inspected by the Drupal security team. We can see an example on page panels project:
At this time the Drupal version 7 has "coverage" of the Drupal Security Team:
What could Mossack Fonseca have done to improve the security of your site made in Drupal:
These are just some basic configurations, but there are a number of other things that can be done to keep your site secure. If you have questions or need information about the security of your site please contact us.