Technology Companies Seeing Increase in Forged Legal Requests for Sensitive Consumer Data

Recently, it was revealed that several technology giants were tricked into releasing the private data of many of their customers when these companies complied with forged legal requests from hackers.  Apple Inc., Alphabet Inc., (Google), Snap Inc. (Snapchat), Meta Platforms Inc. (Facebook/Instagram), Discord Inc., and Twitter Inc. were among the big-name technology companies caught up in the scandal.  Unknowingly, these companies became complicit in complicated schemes targeting innocent victims when they passed along the private information of their users, including minors, to hackers posing as law enforcement.

Tech Companies Targeted with Forged Legal Requests

The targeted companies say that they were tricked into providing the personal information of its customers because they believed they were complying with legitimate legal requests received from legal enforcement agencies.  The issue arose when these hackers compromised the systems of unsecure law enforcement agencies, both domestic and abroad.  The hackers then posed as real individuals associated with the agencies and sent forged legal requests to the technology companies, asking for information on targeted victims in order to further hack those accounts. Because the technology companies were responding to what they thought were requests for information in response to emergencies, the sensitive data was often passed to the hackers quickly and without thorough review.  According to officials familiar with the investigation, the hackers often requested information that would be secured via subpoenas, such as full legal names, physical addresses, email addresses, and IP addresses.  The hackers then used such information to hack into the victims’ accounts.  The hackers used information found in user accounts to pressure victims into sending money or sexually explicit photographs.

Forged Legal Requests Becoming Increasingly Common

While these attacks are not completely new, investigators warn that these activities have become increasingly common in the past few months.  Targeted victims are most commonly females or minors.  If the victims decline to comply, the attackers will often “swat” or “doxx” them, which means sending law enforcement to the physical address of victims under the guise of a fake threat or publishing the private information of an individual without their consent, respectively.

As such, attorneys in the field need to be cognizant of these privacy risks as they become increasingly common.  Forced emergency requests may need to be further verified with the requesting agency via telephone or other individuals in the requesting agency.  As many foreign agencies have been compromised, falsely represented, or impersonated, attorneys and clients alike need to be on their guard if they are in charge of important personal and sensitive information of its users.  Similarly, attorneys need to remain apprised of this burgeoning legal trend, especially as lawmakers have begun to focus on investigating and legislating against this new type of cybercrime.

Key Takeaways on Forged Legal Requests to Tech Companies

A troubling new cybercrime has emerged recently in which technology companies have received fake requests from compromised law enforcement agencies that results in the release of sensitive information on its users. This has resulted in:

• The unauthorized release of sensitive and personal information of targeted individuals;

• Doxxing, swatting, and hacking of users or their accounts; and

• The procurement of sexually explicit materials from targeted victims.

For more information about technology law, see our Technology Law Services and Industry Focused Legal Solutions pages.