I don’t profess to be a lawyer nor fully understand the intricacies of the legal system here in the US or abroad, but I have wondered for many years if access to stolen information such as the Panama Papers is legal.

I remember when I headed up a global CERT that we had instructed the members of the team not to look at breach data from other organizations even though it may have include information about us. The theory was that even though this information was “in the public domain” it was still stolen and belonged to the organization that had been breached.

One way we got around this was to have vendors who would scan the breached data and send us our information. To this day I am not sure where and how they did this but we no longer had the liability and that was the main point. It is also important to point out that the reason organizations may need access to this data, is to stop fraud that may be perpetrated with the stolen information.

Without getting into the ethical details of this issue, I wonder how many firms actually allow their employees to search for things on Wikileaks that are part of breached data. How would they feel if everyone searched their stolen data ?

On May 9th, many media outlets were giving people the address of a site that contains more than 200,000 offshore companies found in the Panama Papers in a searchable database. The question in this case as of many others, do you really NEED to see the data to protect your organization or is it just eye candy.

If you do have the need to view these companies, make sure if you do it from your corporate device that your company allows you to do so. Also remember that sometimes hackers will load malware on the site so they can infect your system. Reviewer Beware !!