Forged legal requests result in data breach at Meta and Apple

Apple Inc. and Meta Platforms have fallen victim to forged legal requests from hackers, resulting in data breaches. 

 

Apple Inc. and the parent company of Facebook, Meta Platforms Inc., provided customer data to hackers who pretended to be law enforcement officials, according to this report from Bloomberg. Apple and Meta provided hackers with basic subscriber details, including the customer’s address, phone number and IP address in mid-2021, in response to forged “emergency data requests.” Normally, data requests are only provided with a search warrant or subpoena signed by a judge. However, in the case of emergency requests a court order is not required. Snap Inc. also received a forged legal request from the same hackers, but it is unknown at the moment whether or not the company provided data in response. According to cybersecurity researchers, the suspected hackers sending these forged requests are minors located in the U.K. and the U.S. City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group, the leader of which has been suspected of orchestrating this breach. Hackers affiliated with a cybercrime group known as “Recursion Team” are also believed to be behind some of the forged legal requests, which were sent to companies throughout 2021. The probe is ongoing. 

 

Emergency requests, which typically do not require a signed order from a judge, were used to illegally obtain information from these companies.

 

In cases of criminal investigations, law enforcement around the world routinely asks social media platforms for information about users. In the US for example, these requests usually include a signed order from a judge. Emergency requests however, do not require a judge to sign off on them, as they are intended to be used in cases of imminent danger. Meta spokesman Andy Stone said in a statement, “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.” Meta also states on its website, “In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.” 

 

The forged legal requests were sent via email from compromised law enforcement accounts. 

 

The systems for requesting data from companies include special email addresses and/ or company portals. Fulfilling the legal requests can be complicated due to the sheer number of law enforcement agencies worldwide. Various jurisdictions have varying laws concerning the process of requesting and releasing user data. Companies such as Meta and Snap operate their own portals to receive legal requests from law enforcement, but still accept requests by email and monitor requests frequently. Apple accepts legal requests for user data at an apple.com email address, ensuring that it is transmitted from the official email address of the requesting agency, according to Apple’s legal guidelines. The issue is that in some cases, compromising the email domains of law enforcement around the world is relatively simple, as the login information for these accounts is available for sale on online criminal marketplaces. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.