Tech giants turned over user data to hackers, report says

Report: Apple, Meta turned over user data to hackers pretending to be law enforcement

Brad Dress, The Hill via Nexstar Media Wire

Updated: Mar 31, 2022 / 05:36 AM CDT

FILE – In this Wednesday, Dec. 16, 2020 file photo, the logo of Apple is illuminated at a store in the city center in Munich, Germany. (AP Photo/Matthias Schrader, file)

(The Hill) — Apple and Facebook parent company Meta turned over user data last year to hackers pretending to be law enforcement officials, Bloomberg reported, citing three people familiar with the matter.

The companies provided user details such as addresses, phone numbers and IP addresses in mid-2021 to the hackers, sources told Bloomberg. The hackers had requested the information via forged “emergency data requests,” which do not require court approval like typical warrants or subpoenas do.

It’s unclear how much data was turned over.

Apple received 1,162 emergency requests from 29 countries between July and December 2020 and turned over data for 93 percent of those, Bloomberg noted. Meta received 21,700 emergency requests from January to June 2021 and turned over data for 77 percent of those requests.

Facebook has been scrutinized for its handling of user data for years following reports that Cambridge Analytica obtained data on tens of millions of the platform’s users.

In a statement obtained by The Hill, Meta spokesperson Andy Stone said, “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse.”

“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” he said.

An Apple spokesperson pointed The Hill to guidelines that law enforcement agencies seeking customer data may be contacted to confirm the request was legitimate. “The government or law enforcement agent who submits the Emergency Government & Law Enforcement Information Request should provide the supervisor’s contact information in the request,” the guidelines read.

The hackers may have been involved with cyber crime groups Recursion Team or Lapsus$, three people involved in the investigation told Bloomberg.

Lapsus$, a South American hacking group, was responsible for hacking Microsoft, Okta, NVIDIA and Vodafone earlier this year.

The user data may have been used to engage in financial fraud schemes, sources told Bloomberg. One person familiar told the outlet that the information has been used for harassment campaigns.

Cybersecurity blog Krebs on Security reported on Tuesday that criminal hackers are now using illegal access to police email systems to send fake emergency data requests in order to obtain private data.

Hackers using this method will send fake requests to companies and claim that if the data they ask for isn’t provided immediately, innocent people will be subjected to significant suffering or death, according to the blog.