Brian Krebs has a site, Krebs on Security. He put out a report titled, "Hackers Gaining Power of Subpoena Via Fake 'Emergency Data Requests'," Brain Krebs, Krebs on Security, March 29, 2022.
Like all privacy reports, you're thankful for the news and terrified by the results. There's a terrifying and highly effective method [that Krebs] says that criminal hackers are now using to harvest sensitive customer data. They're getting this from all kinds of companies, from internet service providers and phone companies and social media firms, and basically any tech company that you can think of.
They are doing this by compromising email accounts and websites that are tied to police departments and government agencies so what happens is that they will hack someone's email account or hack someone's website and then get access or create a shell account at the back end and create more email accounts for them and then they will send unauthorized demands for subscriber data. So they'll be like, "Hey Twitter, you need to send me this data on this user." Now usually when companies are asked for this information, along with it comes a court order; there's a subpoena; there's official documentation. What Brian Krebs has pointed out is what hackers are doing is they're saying, you know, send us this information, Twitter, and the information being requested can't wait for a court order, because it relates to an urgent matter of life and death. This is a specific thing that law enforcement can do, called an Emergency Data Request.
But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.
It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.
In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.
“We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice.
