Meta, the parent company of Facebook, and Apple reportedly gave away sensitive information to hackers who were pretending to be law enforcement officials. The data passed to hackers includes the user's address, phone number, and IP address, according to a report from Bloomberg. The data was shared multiple times with hackers in mid-2021 in response to the falsified emergency data requests.
How hackers gained access to the data?
In the modern-day world, every person uses at least some service from these big tech companies such as Google, Apple, and Facebook — even criminals. Law enforcement officials, in a bid to obtain some information about a culprit, often request these big tech companies to share data with them so as to help them with the case. While such requests require a subpoena or search warrant to be signed by a judge, emergency data requests don't.
Hackers took advantage of this loophole. The hackers first targeted the emails of the law enforcement officials. After gaining access to the email ID of the government officials, the hackers then submitted requests to these big tech companies in order to obtain sensitive information. While big tech companies generally verify these requests, in some cases slip-ups can happen, and thus data was shared with hackers.
According to a report from Krebs on Security, hackers selling government officials' email ID online is increasing day by day. The buyers are specifically looking for email IDs to target social platforms and extract sensitive information about users.
According to the report, Apple received 1,162 emergency data requests out of which Apple responded to 93% of the requests. On the other hand, Facebook received over 21,500 requests out of which 77% of the requests were answered.
Who did this?
The question arises, who actually did this? The report from Krebs notes that the majority of such hackers are teenagers. Some are believed to be the masterminds behind the group Lapsus$ — the same group which targeted NVIDIA, Samsung, and Microsoft. Though such attacks are believed to be carried out by a cybercriminal team called the Recursion Team.
The Recursion Team has since dissolved and it is believed that some of the hackers have joined Lapsus$. The report notes that hackers repeatedly targeted these companies and extracted sensitive information for over seven months starting in January 2021.
What do Apple and Meta have to say about this situation?
In a statement to The Verge, Meta's spokesperson said that the company reviews "every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse. We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case."
On the other hand, Apple's spokesperson said:
"If a government or law enforcement agency seeks customer data in response to an Emergency Government & Law Enforcement Information Request, a supervisor for the government or law enforcement agent who submitted the Emergency Government & Law Enforcement Information Request may be contacted and asked to confirm to Apple that the emergency request was legitimate."
Is there anything that can be done about the situation?
Gene Yoo, chief executive officer of the cybersecurity firm Resecurity, says that it's very difficult to find a simple solution for this. There is no centralized portal to submit such requests as every agency has different ways of handling data. The report from Bloomberg cites that ' Fulfilling the legal requests can be complicated because there are tens of thousands of different law enforcement agencies, from small police departments to federal agencies, around the world. Different jurisdictions have varying laws concerning the request and release of user data.'
Until a solution is found, companies and law enforcement should collectively take up responsibility for such incidents, and let the users know that their data has been compromised so there is no damaging effect of the data that the hackers have gained. Though data leaked this time only includes, the user's address, phone number, and IP address, it shows that hackers can easily gain access to a lot of data. The big tech companies and governments around the need to come up with a solution because a lot of data is at stake.