On September 4, a privacy specialist at Charter Communications swiftly responded to a purported emergency data request from Officer Jason Corse of the Jacksonville Sheriff’s Office, providing sensitive personal details within minutes. However, the email was not legitimate; it came from a hacker posing as a member of a group offering doxing services for a fee. This group has successfully tricked numerous major tech companies into releasing private user data.
A hacker known as Exempt claimed they had executed nearly 500 such requests against companies like Apple and Amazon, sharing evidence including email screenshots, fake subpoenas, and recordings. They claimed their group earned over $18,000 in a single month, indicating that this practice of impersonating law enforcement is not only prevalent but profitable.
Exempt detailed how they gained access to sensitive information, asserting that with just an IP address, they could obtain names, addresses, and other personal data. Using this information, they could generate fake emergency data requests that major companies rushed to process due to potential threats of imminent harm.
One tactic employed by hackers is spoofing email domains to resemble legitimate law enforcement addresses. By closely mimicking official email formats and documents, hackers like Exempt facilitate the extraction of personal information with minimal resistance from tech companies that strive to cooperate swiftly with law enforcement.
In an instance shared with WIRED, Exempt reported obtaining contact information related to British far-right activist Tommy Robinson through a request made to Rumble, a video-sharing platform. Companies typically handle data requests via email, but the rush associated with emergency requests allows hackers to exploit weaknesses in the verification process.
Additional discussions highlighted the challenges inherent in distinguishing between legitimate and fraudulent requests—18,000 law enforcement agencies in the U.S. operate with varied protocols, making exhaustive verification complex. Hackers also utilize social engineering to compromise genuine agency accounts.
Despite some tech companies implementing stricter verification methods, hackers, including Exempt, have found loopholes to access more secure systems. Exempt mentioned ongoing conversations with a law enforcement officer potentially interested in collaborating with the doxing group, which reflects a significant risk of corruption within some agencies.
As the hackers capitalize on the urgency that law enforcement agencies feel to protect lives and respond to emergencies, these breaches highlight a dire need for improved security measures in handling sensitive information requests. Experts suggest that email systems are not equipped to manage today’s identity verification and decision-making demands, revealing the critical nature of this ongoing issue in data privacy and cyber security.
