The front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.

The law firm at the centre of the Panama Papers hack has shown an “astonishing” disregard for security, according to one expert. Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013.

Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.

On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.

Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version ofWordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.

“It shows the way they configured the server and the way they configured the website is not within the best security practices,” David Davies of IP6net said. They continued to say that the method could be used by other people to access the data.

Precisely what vulnerability the attacker used is not known and Mossack Fonseca has said it is carrying out “an in-depth investigation with experts”, while also taking “additional measures” to strengthen its systems.

leaked email to customers Mossack Fonseca confirmed an “unauthorised breach” of its email servers. Company partner Ramon Fonseca has since said the leak was not “an inside job” and that the company had been hacked by servers based abroad. The company did not respond to requests for comment.

Woodward disagreed, saying the vulnerabilities in Mossack Fonseca’s systems made it “vulnerable to external scanning and exploitation”. The attacker may even have been a nation state, he continued. “If I were a betting man I would place a two way bet between an external hacker who got lucky by probing, was shocked by what they saw and leaked it, and a nation state fed up with tax avoidance.”It also remains unclear who carried out the attacks.

The Panama Papers detail 214,488 offshore entities related to public officials held by Mossack Fonseca. The leak includes emails, contracts, scanned documents and transcripts. Broken down by file type, the leak comprises 4.8 million emails, three million database files, 2.1 million PDFs, 1.1 million images, 320,166 text files and 2,242 files in other formats. All the files came organised in folders for the individual shell firms they related to. A full list of companies and people linked to the offshore entities will be published in May 2016.