In the world of big tech, Apple has long been known to be a pioneer in advocating for user privacy. From the privacy integrations found on its devices to policies put in place meant to protect its users, the company has gone to great lengths to back what they preach. However, according to CNET, Apple may have made a critical blunder that resulted in them inadvertently handing over private user information to a group of hackers.
The blunder allegedly happened as a result of Apple being duped by hackers posing as legitimate law enforcement personnel requesting user information. What’s more, is that Apple wasn’t the only major entity to fall for the hacker’s trap. Meta, the parent company of Facebook, also unwittingly sent a slew of users’ private information to the cybercriminals. Bloomberg reported that the con artists received revealing information like private residence addresses, IP addresses, and personal phone numbers.
The hackers were able to fool the two tech giants by exploiting a loophole in their data request policies. In Apple’s case, for instance, the hackers were able to make it look they were putting in for a genuine emergency information request. Normally, Apple requires law enforcement agencies to obtain court orders before they will willingly hand over user data. However, under certain emergency circumstances, the need for a warrant is voided.
It is unclear how exactly the hacker group was able to convince both Apple and Facebook that they were actually the law enforcement personnel they claimed to be. However, considering that Apple’s own policies and procedures regarding emergency requests states that the law enforcement official requesting the user information would be contacted to verify their identity. Logically then, the hackers were contacted and would have had to provide sufficient information to verify that they were who they were claiming to be. Solidifying that reasoning, Apple-focused publication iMore substantiated that the law enforcement agency in question was the entity that indeed suffered the first hack.
Even though the hackers remain at large, there has been speculation circulating regarding who was responsible for the personal privacy attacks on both Meta and Apple. One theory points to the notorious Lapsus$ cybercriminal group. In recent weeks, Lapsus$ successfully extracted sensitive source code from Microsoft. The group has also targeted other high-profile entities such as Samsung and Nvidia. It remains unclear as to whether there is any merit behind these speculations.
Moreover, at this point, both Apple and Meta are remaining tight-lipped as to whether or not they have any information regarding who is responsible or how they were seemingly able to be so easily fooled. Meta spokesman Andy Stone, however, did issue a statement on behalf of the tech giant. “We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Stone said.
Stone also pointed to the fact that it is a common practice for Meta to interact with law enforcement in the way in which it did with the hackers. Unfortunately, in this case, their seeming cooperation (as well as Apple’s) resulted in private user data being heavily compromised. Chief research officer at the cyber firm Unit 221B, Allison Nixon, put it best when she commented that “In every instance where these companies messed up, at the core of it there was a person trying to do the right thing.”