It’s reported that Apple and Meta handed over user data to hackers who faked emergency data request orders typically sent by law enforcement, according to Bloomberg. Fake emergency data requests are becoming increasingly common, as explained in a recent report from Krebs on Security.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
When we hear of big organizations such as Apple & Meta succumbing to fake emergency requests, leading to a data breach of highly sensitive information, we have to wonder how the message about rigorous data security gets missed or overlooked by those who gather, process, and store our data. But any organization, big or small, and no matter the industry they operate in, can become the next victim of a cyber attack. The harsh truth is this: threat actors will find a way to your organization’s data given enough time and incentive, no matter how fortified your digital environment is.
Last-generation data security methods such as protecting borders and perimeters around sensitive data no longer guarantee complete safety. Every business and governmental organization needs to be in the process of actively updating their data security posture to include data-centric strategies, which protect the data itself as opposed to perimeters around it. Protection methods such as tokenization and format-preserving encryption allow organizations to work with highly mobile data without de-protecting it. So, even if that data falls into the wrong hands, threat actors cannot compromise the sensitive information within. That’s an investment well worth exploring.
Emergency data requests from law enforcement are often vital in live ‘crime in action’ and vulnerable missing person cases among others. They come from dedicated units and registered investigators and by their very nature can frequently relate to vulnerable individuals, companies or groups. To describe the success of this methodology as a ‘slip-up’ is fairly accurate as the implementation of some very basic cyber hygiene (in this case a mandatory verification call-back for all emergency requests) on the part of Apple, Meta, or any law enforcement liaison team for that matter, would see attackers looking for other less simple ways to commit their crimes and offer an added layer of much needed protection.