So exactly what happened?
The police can ask certain companies for an emergency data request, or EDR, when someone is potentially in immediate danger. EDRs don’t require a judge’s signature and are likely to be used for severe cases.
EDRs have long been criticized as a data-privacy loophole ripe for abuse by law enforcement. But this is the first time we’ve heard of hackers using the EDR loophole to steal people’s data.
On Friday, April 1, 2022, UK police announced that two teens were charged with hacking crimes that might be linked to the Apple and Meta hack. Seven others aged between seventeen and twenty-one are under investigation for similar crimes that might be linked to the notorious hacker gang, Lapsus$.
The two teenagers, a 16-year-old and a 17-year-old, each face three counts of unauthorized access to a computer with intent to impair the reliability of data, one count of fraud by false representation, and one count of unauthorized access to a computer with intent to hinder access to data. The 16-year-old also faces one count of “causing a computer to perform a function to secure unauthorized access to a program.”
Lapsus$ is a cybercriminal gang that, in a matter of months, has terrorized and held some of the biggest tech comanies for ransom. Okta, Microsoft, Nvidia, Ubisoft, Samsung, and Vodafone have all had hundreds of internal files, source-code, and consumer data dumped online by Lapsus$.
Notorious for their severe, far-reaching impact, the wounds of Lapsus$ hacks are felt through hundreds of other partnering companies. For instance, when Lapsus$ hacked Okta, some 366 companies had possibly been impacted by the attack. Other victim-companies had projects with Apple, Google Cloud, Slack, London’s Metropolitan Police, and City of London Police (the police department that just arrested an alleged member of Lapsus$.)
If Apple and Meta employees were so easily fooled by a message from a police email address, then we have to start looking at ourselves. Yes, verification procedures are vital in cybersecurity, but employees are more often the weakest link.
Assuming Lapsus$ was responsible for the attack on Apple and Meta, all it had to do was send an urgent looking email from a legitimate police email account to steal users' most personal details. Trickery or social engineering attacks like these are (at risk of sounding facetious) one of the most cost-effective ways to hack.
One of our own security researchers was quick to comment on the failures of Apple and Meta’s security, reminding us that, “The fact that minors were able to exploit a loophole is why the process of how companies cooperate with law enforcement should be strict and clearly defined.”
Want to read more like this?
Get the latest news and tips from NordVPN.