Meta and Apple both complied with fake law enforcement data requests

At least some of the data obtained this way has already been used for harassment and financial fraud schemes.

LONDON, UK, UNITED KINGDOM - 2020/03/10: An Orthodox Jewish child dressed as an armed police officer...
SOPA Images/LightRocket/Getty Images

Two of the most successful technology companies in the world have been sharing user data with hackers, including addresses, phone numbers, and IP addresses. Meta and Apple both cooperated with data requests that ended up being from fake law enforcement workers, three people tell Bloomberg.

Many tech companies, especially larger ones, have created processes by which law enforcement can request data on an “emergency” basis. These requests differ from usual legal requests for data in that no court order or warrant is necessary for them to be carried out.

It’s unclear just how much damage was done by the hackers; Bloomberg’s sources did not know how many times such data requests had been fulfilled by either Meta or Apple, and neither company has exactly been forthcoming in copping to the mistakes.

More troubling still: Some of the information obtained through these forged requests is being used for harassment campaigns and financial fraud schemes.

Meta and Apple won’t say yes — Neither Apple nor Meta is ready to admit culpability in this matter just yet. When contacted by Bloomberg, Apple essentially said the publication should go look at its law enforcement guidelines. The relevant section comprises exactly one sentence of the policy, stating that those requesting emergency data “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

Meta provided a more lengthy statement, written by the one and only Andy Stone.

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Stone said. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Lapsus$ suspected — So far, cybersecurity experts have exactly one lead on who might be behind these phony requests — but it’s a big one. Researchers believe at least some of the forged requests are being sent by minors in the U.S. and the U.K., potentially members of the cybercrime collective Lapsus$.

That name might sound familiar; Lapsus$ has garnered quite a reputation as of late by breaching big companies like Nvidia, Samsung, and Microsoft. The hackers reportedly made their requests look quite legitimate, even going as far as to fake signatures of law enforcement officers.

Time for an overhaul — While it’s easy to place the bulk of the blame for this on the individuals reviewing legal requests at Apple and Meta, the problem is much larger than that. Verifying requests via company systems is easier said than done, especially given variations in local laws for these types of data requests. Further complicating matters: fake law enforcement email addresses are available for sale on the dark web.

Keeping user data safe while also complying with legal requests is never going to be easy. An overhaul of these systems might cut down on this particular crime for a while — but hackers have a way of adapting quickly to just about any system upgrades.

It’s not only Big Tech being affected by this problem, either. Discord has confirmed the fulfillment of at least one fake legal request, and Snapchat has received at least one such request, too. Finding a solution here is not going to be a quick process.