Apple, Meta gave customer data to hackers posing as law enforcement officials
- Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the UK and the US
- The fraudulent legal requests were part of a months-long campaign that targeted many technology companies and began as early as January 2021
Apple and Meta Platforms, the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter.
Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests”. Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, emergency requests do not require a court order.
Snap received a forged legal request from the same hackers, but it is not known whether the company provided data in response. It is also not clear how many times the companies provided data prompted by forged legal requests.
Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the UK and the US. One of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft, Samsung Electronics and Nvidia, among others, the people said. City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group; the probe is ongoing.
An Apple representative referred Bloomberg News to a section of its law enforcement guidelines. The guidelines referenced by Apple say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the Apple guideline states.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Snap had no immediate comment on the case, but a spokesperson said the company has safeguards in place to detect fraudulent requests from law enforcement.