Skip to content
Naked Security Naked Security

Is the 1.6TB Paradise Papers exposé a leak or a hack?

Is there a difference between a breach and a leak, and how are the Paradise Papers any different than the Equifax debacle?

Until a few days ago, nobody had an inkling that Apple Computer, musician Bono, F1 racing driver Lewis Hamilton and Britain’s Queen Elizabeth II had anything important in common beyond being very famous.

Any yet they do, according to the Paradise Papers, a 1.6TB leak of about 13 million files which German newspaper Süddeutsche Zeitung (SZ) and the International Consortium of Investigative Journalists (ICIJ) allege contains evidence linking these, and many other well-known people, to tax havens.

Notice we just used the media’s preferred word leak instead of describing the revelations as a data breach which is, arguably, just as valid a description – the files were acquired without the consent of their owners after all.

So, is there a difference between a data breach and a data leak, and is it fair to draw a hard distinction between the Paradise Papers and, say, the database records pilfered from companies such as Equifax?

Untangling this means measuring four issues: the number of people affected, the type of data made public, the balance of damage versus public interest (which influences legal arguments), and most important of all, the motivation and methods of the leakers or breachers.

SZ says the Paradise Papers were gathered from 21 different sources, with law firm Appleby reportedly the biggest single contributor, bulked by documents from Asiacity Trust and the business registers of 19 tax havens.

Although smaller in size than the Panama Papers of 2016 (a previous SZ/ICIJ leak), the researchers still had to use a big data system from Australian company Nuix to analyse the trove of Word documents, PowerPoint files, images, spreadsheets, emails and PDFs.

Unlike most breaches, then, these were not personal data records, and the number of people affected is a minuscule fraction of the perhaps 3 billion affected by the Yahoo breach, or even the 145 million individuals caught up in the Equifax debacle. Similarly, the data is not being released in its raw file form and is being processed carefully by journalists (albeit a large number) working within the law.

That looks like it’s 2-0 to the argument that this is, potentially, a legitimate leak.

Public interest and motivation are tougher to assess. The newspaper and the ICIJ see a public interest, not dissimilar to that claimed by Wikileaks when it posted Bradley Manning’s “collateral murder” footage in 2010, and by Edward Snowden when he lifted the lid on NSA surveillance in 2013.

A problem with this is that a fair amount revealed by the Paradise Papers appears to be legal. This doesn’t mean there is not a public interest in knowing about it but slightly muddies the waters legally and morally.

Where the data came from, and who leaked it, might be the deciding question.

It’s tempting to assume that a cache of documents this huge must have come from an insider with special access, but this is contested. SZ stated:

For reasons of source protection, the SZ does not provide information on how the data reached the newspaper, who submitted it, and when it was handed over.

While Appleby claims:

We wish to reiterate that our firm was not the subject of a leak but of a serious criminal act and our systems were accessed by an intruder who deployed the tactics of a professional hacker.

Acquiring the data from an internal source might sound as if it amounts to the same thing as acquiring it from an external one, but arguably they’re not.

Whether or not one agrees with Snowden and Manning’s decision to leak, they saw the data before releasing it, and their claim to have acted in good faith at least deserves examination.

Not so a hacker breaking into an organisation from outside who must commit the criminal act without prior knowledge of what they might find. How this data came into SZ’s hands isn’t immaterial.

So, leak or breach? It looks like a scoring draw, which alerts us to the possibility that the Paradise Papers perhaps lie uneasily somewhere between the two.

A solution might be to stop worrying about semantics and just call everything a breach, accepting that a small number will later be deemed principled whistleblowing.

What must be painfully apparent to organisations up and down the land – especially legal firms holding piles of client data – is that data protection laws count for little in these situations. Salvation’s front line is still better security, not bigger punishments.


“being processed carefully by journalists (albeit a large number) working within the law.”

Isn’t the law-abiding procedure when receiving stolen goods to turn them over to the police?

Since it seems unlikely that someone on a lark breaks into and rifles through multiple lawyers’ offices and government registers all over the world (even if it’s done from a cosy office somewhere), one may also ask who paid for the breaches. Suddeutscher Zeitung?


“Leak” means someone with access to confidential information told someone else who made it public. “Breach” means someone broke through defenses to steal the information. So this is both a breach and a leak (the breacher leaked the info), but you can also have either one without the other.


The phrase, “a rose by any other name…”, come to mind Mr Dunn. Journalism is about a play on words. A leak or a breach, the result is the same. Is the means of theft any less a crime if it is done from the inside or out? One thing is certain. It is theft which is a crime. Thank you for an interesting article.


The old moral dilemma of privacy v public good.
In the context of Apple/Ireland and various companies/Luxembourg to cut advantageous tax deals that the EU considers to have avoided taxes, then there is definitely a public interest. One of the arguments for Brexit is that we can then lower taxes to attract companies here, and the EU is not happy about a tax race to the bottom led by the UK, so shedding some light on tax avoidance is relevant in todays context. Of course if we adopted the practice of some of the Scandinavian countries where everybody’s tax return can be viewed publicly it is far less of an issue.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!