Forged legal requests result in data breach at Meta and Apple

Apple Inc. and Meta Platforms have fallen victim to forged legal requests from hackers, resulting in data breaches. 

 

Apple Inc. and the parent company of Facebook, Meta Platforms Inc., provided customer data to hackers who pretended to be law enforcement officials, according to this report from Bloomberg. Apple and Meta provided hackers with basic subscriber details, including the customer’s address, phone number and IP address in mid-2021, in response to forged “emergency data requests.” Normally, data requests are only provided with a search warrant or subpoena signed by a judge. However, in the case of emergency requests a court order is not required. Snap Inc. also received a forged legal request from the same hackers, but it is unknown at the moment whether or not the company provided data in response. According to cybersecurity researchers, the suspected hackers sending these forged requests are minors located in the U.K. and the U.S. City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group, the leader of which has been suspected of orchestrating this breach. Hackers affiliated with a cybercrime group known as “Recursion Team” are also believed to be behind some of the forged legal requests, which were sent to companies throughout 2021. The probe is ongoing. 

 

Emergency requests, which typically do not require a signed order from a judge, were used to illegally obtain information from these companies.

 

In cases of criminal investigations, law enforcement around the world routinely asks social media platforms for information about users. In the US for example, these requests usually include a signed order from a judge. Emergency requests however, do not require a judge to sign off on them, as they are intended to be used in cases of imminent danger. Meta spokesman Andy Stone said in a statement, “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.” Meta also states on its website, “In emergencies, law enforcement may submit requests without legal process. Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.” 

 

The forged legal requests were sent via email from compromised law enforcement accounts. 

 

The systems for requesting data from companies include special email addresses and/ or company portals. Fulfilling the legal requests can be complicated due to the sheer number of law enforcement agencies worldwide. Various jurisdictions have varying laws concerning the process of requesting and releasing user data. Companies such as Meta and Snap operate their own portals to receive legal requests from law enforcement, but still accept requests by email and monitor requests frequently. Apple accepts legal requests for user data at an apple.com email address, ensuring that it is transmitted from the official email address of the requesting agency, according to Apple’s legal guidelines. The issue is that in some cases, compromising the email domains of law enforcement around the world is relatively simple, as the login information for these accounts is available for sale on online criminal marketplaces. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Fine imposed on Meta Platforms by the Irish DPC

A €17 million fine imposed on Meta Platforms resulted from the company’s inability to demonstrate compliance, after several personal data breaches. 

 

The Irish DPC has imposed a fine of €17 million on Meta Platforms Ireland Limited (Meta Platforms). The company, formerly titled Facebook Ireland Limited, was found to have infringed Articles 5 (2) and 4 (1) of the GDPR. Over a six month period between June and December 2018, the Irish DPC received a total of twelve data breach notifications from the company, and launched an investigation. This investigation revealed that Meta Platforms failed to implement the appropriate technical and organisational measures to easily demonstrate the security measures it has actually put in place to protect EU users’ data, with regard to the 12 personal data breaches.

 

The fine imposed on Meta Platforms for €17 million was in respect to Article 5 (2) of the GDPR. 

 

Article 5 (2) dictates that a controller must be able to demonstrate compliance with the principles relating to processing of personal data contained in Article 5 (1). In particular, when the Irish DPC decided to launch an inquiry into the company, its main purpose was to examine the extent to which the company had achieved compliance with  Article 5 (1)(f) of the GDPR. This Article dictates that “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” The controller is not only responsible for maintaining compliance with these principles,but must be able to demonstrate the security measures implemented.

 

The DPC found that although Meta Platforms provided information and supporting documentary evidence that could be considered analogous to industry best practice and the state of the art, Meta Platforms failed to have appropriate technical and organisational measures in place, such as would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.

 

All European supervisory authorities participated in the decision as co-decision makers, as this was a cross-border investigation. 

 

The processing in question was “cross-border” and therefore, under Article 60 of the GDPR, this decision had to be made jointly, involving all European supervisory authorities. Article 60 of the GDPR outlines the co-decision process through which all cross-border decisions are made. The draft decision was initially challenged by two European supervisory authorities, however through further engagement between all parties, an agreement was reached. Last week, the DPC published a concise statistical report on its handling of cross-border complaints under the GDPR’s One-Stop-Shop (OSS) thus far. The report reflected that 86% of its cross-border cases to date have all been concerning 10 companies. So far, 38% of complaints transferred by the DPC to other EU/EEA lead supervisory authorities (excluding the UK) have been concluded.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Meta considers EU shut down

Meta considers EU shut down in the absence of a framework for the storage of EU data on US servers.

 

Representatives from Meta have spoken up about the possibility of the company having to shut down Instagram and Facebook services in the EU, unless a framework is implemented which allows them to store EU data on US servers. A recent annual report from the company made mention that unless there is an option to store, transfer, and process data from its European users on the US based servers which it has always used, Facebook and Instagram may be shut down across the EU. 

 

Meta representatives call for clear global rules to protect transatlantic data flows over the long term.

 

With current frameworks to enable transatlantic data transfers under heavy scrutiny in Europe, the company is in need of a new framework in order to allow continued operations in the EU. Several businesses have been called to question for their practices of transatlantic data transfers. As a result, Standard Contractual Clauses or SCCs have been used by some companies in order to facilitate these transfers, however it has been suggested that SCCs cannot be used in practice for EU-US transfers. According to a report from City AM, Nick Clegg, VP of Global Affairs and Communications at Meta said “Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.”

 

Since the invalidation of the Privacy Shield, many companies have had to change the way they operate in an effort to remain in compliance. 

 

Since the invalidation of the Privacy Shield in July 2020, the impact has been felt by businesses all across Europe, which previously used US servers, or used the services of US based companies, which involved the transfer of data from EU users to the US. Due to US laws, European user data which has been transferred to the US may be accessed by US intelligence. As a result several companies have been ordered to cease their use of US cloud services and other US-based service providers. Many companies turned to the use of Standard Contractual Clauses or SCCs in order to facilitate these transfers. Unfortunately, in many cases, this has been found inappropriate as a solution, as SCCs themselves do not protect the data from being accessed by US intelligence. Meta is one of several companies which have been investigated for unlawful data transfers to the US. 

While the investigation by the Irish DPC is ongoing, this watchdog has previously ruled against the use of SCCs to facilitate transatlantic data flows.

 

The Irish DPC communicated with Facebook in August 2020 that the use of Standard Contractual Clauses was not in line with the GDPR. This meant that Facebook had to stop processing European data on American servers. However this preliminary conclusion has been appealed by Facebook and therefore, change has yet to come about. Judges ruled that the investigation by the Irish DPC can continue, with a final verdict expected within the first half of this year. Since the Schrems II decision of the Court of Justice of the EU, an adequate data transfer impact assessment is required for the transfers of the data based on SCCs. The current situation faced by Meta is that it may no longer be feasible to offer its services in the EU, should the use of Standard Contractual Clauses be deemed illegal in their case at the end of the investigation. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.