Forged legal requests result in data breach at Meta and Apple

Apple Inc. and Meta Platforms have fallen victim to forged legal requests from hackers, resulting in data breaches. 


Apple Inc. and the parent company of Facebook, Meta Platforms Inc., provided customer data to hackers who pretended to be law enforcement officials, according to this report from Bloomberg. Apple and Meta provided hackers with basic subscriber details, including the customer’s address, phone number and IP address in mid-2021, in response to forged “emergency data requests.” Normally, data requests are only provided with a search warrant or subpoena signed by a judge. However, in the case of emergency requests a court order is not required. Snap Inc. also received a forged legal request from the same hackers, but it is unknown at the moment whether or not the company provided data in response. According to cybersecurity researchers, the suspected hackers sending these forged requests are minors located in the U.K. and the U.S. City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group, the leader of which has been suspected of orchestrating this breach. Hackers affiliated with a cybercrime group known as “Recursion Team” are also believed to be behind some of the forged legal requests, which were sent to companies throughout 2021. The probe is ongoing. 


Emergency requests, which typically do not require a signed order from a judge, were used to illegally obtain information from these companies.


In cases of criminal investigations, law enforcement around the world routinely asks social media platforms for information about users. In the US for example, these requests usually include a signed order from a judge. Emergency requests however, do not require a judge to sign off on them, as they are intended to be used in cases of imminent danger. Meta spokesman Andy Stone said in a statement, “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.” Meta also states on its website, “In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.” 


The forged legal requests were sent via email from compromised law enforcement accounts. 


The systems for requesting data from companies include special email addresses and/ or company portals. Fulfilling the legal requests can be complicated due to the sheer number of law enforcement agencies worldwide. Various jurisdictions have varying laws concerning the process of requesting and releasing user data. Companies such as Meta and Snap operate their own portals to receive legal requests from law enforcement, but still accept requests by email and monitor requests frequently. Apple accepts legal requests for user data at an email address, ensuring that it is transmitted from the official email address of the requesting agency, according to Apple’s legal guidelines. The issue is that in some cases, compromising the email domains of law enforcement around the world is relatively simple, as the login information for these accounts is available for sale on online criminal marketplaces. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Apple data sharing

Apple faces scrutiny for data sharing practices

Apple accused of potential improper data-sharing.

Earlier this month American multinational technology company Apple came under scrutiny for its data-sharing practice of sending IP addresses from users of its Safari browser to Google and Chinese-based tech company Tencent.

Apple has since defended this practice, noting that it is a Safari Fraudulent Warning security feature aimed at flagging websites known to be malicious. In an interview with iMore, Apple reportedly noted that When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never sharedwith a safe browsing provider and the feature can be turned off.

It is of note that Apples Fraudulent Website Warning setting is automatically set to on. As such users would have to delve into their settings and toggle this off if they do not want to have their IP address forwarded to Google and Tencent when using the Safari browser. It is also reported that toggling this setting to offwould potentially render browsing sessions less secure.

Potential GDPR and CCPA implications?

Considering that IP addresses can reveal user locations and can also be used to profile users,they are deemed as online identifiers, thus they are personal data as covered by Recital 30 GDPR, which means that this feature would be subject to GDPR compliance.

The recent Cookies Consent ruling by the CJEU, explored in one of our recent blog posts could also potentially affect the way Apple handles its default permission settings.

Moreover, with the California Consumer Privacy Act Regulations (CCPA Regulations)schedule to take effect on January 1, 2020introducing  consumer rights related third party sharing for companies doing business with California residents; it is likely that Apple would also have to review this practice to ensure CCPA compliance.

This practice was explained in the privacy policy within the section “About Safari & Privacy” and it was publicly accessible to anyone who opened the Settings app. However, one should note that even though the privacy policy shall contain every personal data processing carried out by the controller for the sake of transparency and in line with articles 13 and 14 GDPR, it does not mean that any data processing added to the privacy policy will automatically become lawful, for which a valid legal basis for the processing (contract, consent or legitimate interest among others) is required.

Does your company website facilitate data sharing to third parties? Aphaia’s  GDPR and CCPA adaptation services, including our  data protection impact assessments and Data Protection Officer outsourcing will help you ensure compliance with the soon to be effected CCPA Regulations and GDPR.

Reference: iMore