According to people with knowledge of the situation, Apple Inc. and Meta Platforms Inc., the parent company of Facebook, supplied consumer data to hackers posing as law enforcement authorities.
In response to the faked “emergency data requests,” Apple and Meta gave basic subscriber details, such as a customer’s address, phone number, and IP address, in mid-2021. According to the persons, such demands are usually only granted with a search warrant or subpoena signed by a court. On the other hand, emergency demands do not require a court order.
Cybersecurity experts believe that some of the hackers who sent the fraudulent requests are minors from the United Kingdom and the United States.
According to sources, one of the minors is suspected of being the brains behind the cybercrime group Lapsus$, which has attacked Microsoft and Samsung Electronics. The City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking gang; the investigation is still ongoing.
A potential solution to the use of forged legal requests sent from hacked law enforcement email systems will be difficult to find, said Nixon of Unit 221B.
“The situation is very complex,” she said. “Fixing it is not as simple as closing off the flow of data. There are many factors we have to consider beyond solely maximizing privacy.”
According to the Apple guidelines, a supervisor for the government or a law enforcement official who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.