The owner of Facebook gave the meta user information to hackers who pretended to be law enforcement officers last year, a company source said on Wednesday, highlighting the risks of a system used in emergencies.
Fraudsters were able to obtain details such as a physical address or phone number in response to a false “emergency data request,” which could slip into privacy breaches, the source said, requesting anonymity due to the sensitivity of the matter.
Criminal hackers are compromising with email accounts or websites linked to the police or the government, claiming they can’t wait for a judge’s order for information because it’s a “life-and-death issue,” cyber expert Brian Krebs wrote Tuesday.
The Bloomberg News Agency, which reported that the meta was originally targeted, also provided customer data in response to Apple’s fake data request.
Apple and Meta have not officially confirmed the incident, but have issued a statement outlining their policy on handling information needs.
When U.S. law enforcement officials want data on the owner of a social media account or the relevant cell phone number, they must submit an official court-order warrant or subpoena, Krebs wrote.
But in case of emergency, the authorities may make an “emergency data request”, which “greatly bypasses any official review and does not require the petitioner to provide any court-approved documents,” he added.
Meta said in a statement that the firm reviews each data request for “legal adequacy” and uses “advanced systems and procedures” to validate law enforcement requests and identify abuses.
The statement added, “We block known compromised accounts from requesting and work with law enforcement agencies to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Apple cited its guidelines, which state that in the case of an urgent application, “a supervisor of the government or law enforcement agent who submitted the request … may be contacted and Apple may be asked to confirm that the urgent request was valid.”
Krebs noted that the lack of a single, national system for such requests is one of the main problems associated with them, as companies decide how to deal with them.
“To complicate matters further, there are several thousand police powers around the world – of which about 18,000 are in the United States alone – and what hackers need to succeed is unauthorized access to a single police email account,” he wrote.