May 2, 2022
Major technology companies, including Meta, Apple, Google, Snapchat, Twitter, and Discord, have been duped by fraudulent emergency data requests initiated by malicious bodies for harassment and sexual exploitation of women and minors, according to federal law enforcement officials and industry investigations.
Emergency data requests for sensitive personal data are common among governmental enforcement authorities as part of their fight against imminent danger to data subjects such as suicide, murder, or abductions. However, recently the practice became prevalent among private bodies for financial or malicious interests. Since the requests appear to be from governmental authorities, companies are deficient in detecting such messages’ authenticity.
Even though the methods used by malicious bodies vary, they tend to follow a general pattern that includes compromising the email system of a law enforcement agency with a forged “emergency data request” to a company pursuing a user’s account data. The user data provided to attackers by the companies is equal to the data provided to law enforcement authorities due to court-order subpoenas and usually includes the name, IP address, and physical and email address. Such data is often used to hack into users’ other online accounts or extort the data subjects.
In order to minimize the risk from such act we recommend implementing a proper user request response policy which includes, among others, the involvement of a professional DPO when processing user requests.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice, but rather a practical overview that is based on our understanding. APM &Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.