The Panama Papers and Drupal Security: What You Need to Know

Whether it be tax receipts, family photos or medical information, the general public assumes that their personal information is safe and secure when they carry out any sort of transaction or activity online.

But the latest leak on May 9 — dubbed the “Panama Papers” — of another massive (searchable!) public data dump from the Panama law firm, Mossack Fonseca, totaling more than 11 million items and 2.6 terabytes of data (considered the biggest breach of online security of its kind the world has ever seen), continues to remind us that data stored online is only as secure as the systems in place to protect it and the people who oversee those systems.

So, what went wrong? In the story of how the Panama Papers came to be, there is an important lesson to be learned about the critically important albeit unglamorous part of website development — website maintenance and support.

Experts all agree that the breach was the result of the company’s failure to keep its website’s security systems updated. The Mossack website, was built using a combination of outdated, vulnerable versions of WordPress and Drupal content management systems. Its webmail servers were also outdated, meaning all of its website components were either outdated or not configured correctly in the first place to protect sensitive information. By failing to stay current on Drupal security updates, Mossack Fonseca compromised their clients’ sensitive information and is now paying dearly for it with this Panama Papers incident.

Is My Drupal Website Secure?

While no website is 100% safe from possible intrusions, Drupal is considered one of the most robust open source platforms when it comes to keeping information secure.

Drupal core has a variety of built-in features that are designed to protect sensitive data including:

  • Encrypted passwords that can be configured with a variety of parameters such as password length, complexity, and expiration.
  • Roles and permissions that limit the amount of access that a user can have on a site.
  • Robust encryption system for sensitive data.
  • Form API which scrubs and validates data before entering into the database.
  • The ability to limit the number of failed login attempts.

In addition, there are a number of contributed modules that can add an additional layer of security to your website’s data.

Tips for Protecting Your Website Data

Again, all of the above features are only as effective as the time and effort spent on maintaining them. Here are some ways to work with your developer to ensure the continued protection of your site’s data:

Make sure to allocate a few hours a month for your developer to perform security updates/patches and be flexible with that time if critical updates are available to limit the time your site is exposed to critical vulnerabilities.

  • Subscribe to module updates
  • Only store data on your site that is essential to the functioning of your business.
  • Avoid embedding php on your site.
  • Minimize the use of custom code
  • If your site must store users’ Personally Identifiable Information(PII) such as medical history, credit card numbers, or SSNs, ensure you are following the appropriate security standards and consider having a security professional perform a penetration test of your site.

Maintaining and bolstering your website’s security is an ongoing never-ending process that requires diligence, attention to detail and always staying informed about up and coming vulnerabilities in order to mitigate them.