Hackers are now stealing the identities of law enforcement agencies and using them to force companies into giving away sensitive customer information.
The revelation was explained in detail by researchers from KrebsOnSecurity, a cybersecurity blog.
According to the report, all crooks need is access to a single email address belonging to any law enforcement agency, and a little knowledge about something called an Emergency Data Request (EDR).
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
A race against time
Usually, when police want data from companies such as Internet Service Providers (ISP), web hosting firms and others, they need a court order or subpoena, which involves a relatively lengthy application process.
Sometimes, however, police need to act quickly to prevent possible injury or death. In such instances, they can submit an EDR and demand the data be handed over immediately.
When businesses receive such a request, especially if it comes from a legitimate email address, they have a choice: either investigate whether the request is valid and potentially risk someone’s death, or hand over the data.
> Everything we know about Lapsus$ and Okta so far (opens in new tab)
> There's been another development in the Lapsus$ saga (opens in new tab)
> This British teenager is apparently the mastermind behind Lapsus$ (opens in new tab)
Data management is a major challenge, especially for large businesses, and most of these companies have dedicated departments working exclusively on such matters. At the same time, though, there are thousands of law enforcement agencies they are constantly in touch with. In the US alone, KrebsOnSecurity reminds, there are 18,000 police jurisdictions.
Researchers have previously linked identity theft and EDR abuse with Lapsus$, a threat group that has been making headlines recently with breaches of high-profile targets such as Samsung, Nvidia and Microsoft.
Allegedly, a person who could very well be the founder of Lapsus$ recently advertised a "subpoena service" designed to help hoodwink companies into handing over data.
- Make sure employees only have access to the data they need with the best identity management services
Via KrebsOnSecurity (opens in new tab)