SAN FRANCISCO, California – A corporate insider revealed Wednesday that last year, Meta, the owner of Facebook, supplied user information to hackers posing as law enforcement authorities, a corporate insider revealed Wednesday, exposing the dangers of a tactic employed in emergency situations.
The source, who asked not to be named because of the sensitivity of the situation, says that imposters got information like physical addresses and phone numbers by making fake “emergency data requests.” This could get around privacy protections, the source says.
Criminal hackers have been hijacking email accounts and websites associated with law enforcement or the government, saying they cannot wait for a judge’s order to get information because it is a “urgent issue of life and death,” cyber expert Brian Krebs said Tuesday.
A report by Bloomberg News, which first said Meta was being targeted, also said that Apple has responded to fake data requests with consumer data.
Apple and Meta didn’t say anything publicly about what happened, but they did say that they follow certain rules when it comes to getting information from people.
When US law enforcement agents need information on the owner of a social media account or an associated mobile phone number, they must get a court-issued warrant or subpoena, Krebs said.
However, in emergency situations, authorities may issue a “emergency data request,” which “essentially circumvents any official scrutiny and does not need the requestor to provide any court-approved documentation,” he noted.
Meta said in a statement that it checks each data request for “legal sufficiency” and uses “advanced systems and procedures” to make sure law enforcement requests are legitimate and to stop them from being misused.
“We prevent known compromised accounts from making requests and collaborate with law enforcement to address cases involving suspected fraudulent requests, as we did in this case,” the statement said.
Apple indicated in its guidelines that in the instance of an emergency application, “a supervisor for the government or law enforcement agency that made the request may be contacted and requested to certify to Apple that the emergency request was valid.”
Krebs said that the absence of a unified, national structure for dealing with these types of requests is one of the primary issues since businesses must ultimately decide how to handle them.
“To compound problems, there are tens of thousands of police jurisdictions worldwide – including around 18,000 in the United States alone) and all it takes for hackers to succeed is unauthorized access to a single police email account,“ he said.