Apple and Meta Platforms, the parent company of Facebook, unknowingly provided user data to hackers masquerading as law enforcement, industry insiders allege. The two tech giants released the data under the guise of an emergency data request from fake law enforcement officials. Emergency requests of this nature do not require a subpoena, so private businesses often comply quickly in order to help facilitate whatever investigation the police deem a priority. In this instance, however, the hastened pace of the “investigation” actually led to the bypassing of critical security measures.
At a glance
- Hackers convinced multiple technology companies like Apple and Facebook to release sensitive user data under the guise of law enforcement requests
- The hackers use the data for a wide range of unsavory schemes, like harassment campaigns and financial fraud
- Cybersecurity experts say that although this instance looks bad for tech companies, those companies actually do a good job policing the myriad of false requests that they receive annually
Apple and Meta provided the basic user data, such as a customer’s address, phone number, and IP address, in mid-2021. Snap Inc. also received a formal data request from the same hackers, but it is now known whether or not they complied. It is also not known how many times how many different times the companies in question provided the data.
Cybersecurity experts believe the hacking syndicate Lapsus$ coordinated the crimes in concert with other hacker groups. Lapsus$ also hacked Microsoft, Samsung, and NVIDIA in the past. Police currently believe that the syndicate operates in both the U.K. and U.S., according to Bloomberg News.
When asked by media about the user data leak, Apple cited a portion of its law enforcement guidelines. The guidelines state that Apple “may contact law enforcement to ensure legitimacy” of such requests. Meta Platforms spokesperson Andy Stone issued a statement in response to media questions.
“We review every data request for legal sufficiency. Furthermore, we use advanced systems and processes to validate law enforcement requests and detect abuse,” Stone said in a statement. “We block known compromised accounts from making requests; and we work with law enforcement to respond to incidents involving suspected fraudulent requests.”
Snap Inc. did not comment on the matter but did emphasize similar safeguards used to detect fraudulent requests from law enforcement.
Apple and other companies receive thousands of user data requests every year
Big technology companies around the world routinely work with police every day in order to aid in criminal investigations. In America, requests normally need a judge’s signature in order to proceed. Extreme circumstances permit the exchange of personal information when time is a factor, though.
The information obtained by the hackers using the forged legal requests has been used for a number of criminal enterprises. The hackers use the information to coordinate harassment schemes, financial cons, and account security manipulations.
By all accounts, the forged requests appeared legitimate, and the private employees are not under investigation. In some instances, the documents even included the forged signatures of real or fictional law enforcement officers. Allison Nixon, chief research officer at the cyber firm Unit 221B, said the system between tech companies and law enforcement works well, despite this current hurdle.
“In every instance of a mistake, at the core was a person trying to do the right thing,” Nixon said. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”
From July to December 2020, Apple received 1,162 emergency user data requests from 29 countries.