When it comes to providing specific user data, Apple relies on official legal requests from law enforcement and government agencies. However, it turns out that the company may have been duped by some forged requests, and, as a result, provided user data to nefarious individuals.
A new report from Bloomberg outlines that both Apple and Meta (formerly known as Facebook) provided user data to hackers that utilized forged legal requests to obtain that information. The report is based on information shared with the publication from three individual, anonymous sources. The hackers shadowed themselves as law enforcement agents, and were ultimately able to convince the necessary Apple employees to provide them with the data they were after.
That includes IP addresses, phone numbers, and even customer addresses. They were finally able to retrieve this information from Apple after sending what’s known as “emergency data requests.” The report indicates that the hacker group was able to secure bypassed email domains that belong to law enforcement officials from a variety of different countries.
In most cases, a subpoena and/or a search warrant is necessary to get these details. However, the “emergency data request” is seen differently as it’s meant to only be utilized when there’s a case for imminent danger. As a result, Apple, after going through the process of verifying the requester, can provide the requested information without requiring a subpoena or search warrant.
Apple’s comment on the matter isn’t necessarily all that helpful:
In response to a request for comment, an Apple representative referred Bloomberg News to a section of its law enforcement guidelines.
The guidelines referenced by Apple say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the Apple guideline states.
Meta, on the other hand, basically confirmed that the hacker group was able to obtain some user data information based on the usage of fraudulent requests. The company also confirmed that it is working with legitimate law enforcement agencies to sort things out.
One would imagine Apple will do the same thing, if it isn’t already.