FB pixel

FBI issues warning about fake Emergency Data Requests used to acquire PII

| Anthony Kimery
Categories Access Control  |  Biometrics News  |  Law Enforcement
FBI issues warning about fake Emergency Data Requests used to acquire PII
 

The FBI this week issued a warning about hackers who can exploit compromised government and law enforcement email accounts to submit what are called fraudulent Emergency Data Requests (EDRs) to U.S.-based tech companies. EDRs allow hackers to obtain private user information such as emails and phone numbers, and, potentially, other personal and sensitive information.

An Emergency Data Request allows law enforcement agencies to obtain user data from tech companies without a warrant in cases of imminent danger. Typically, law enforcement agencies submit these requests on the implied trust that only authorized personnel can send them.

EDRs are often sent via email or through online portals, requiring only that the sender’s email or credentials appear legitimate, such as from a .gov email suffix. However, unlike legitimate legal requests which require warrants and are subject to formal review, EDRs bypass these safeguards, making them susceptible to abuse if hackers can gain access to official accounts. And as recurring hacks have demonstrated, the system is vulnerable.

Indeed. Hacking incidents targeting government and law enforcement email addresses to facilitate fraudulent EDRs have become a significant cybersecurity threat, with the FBI warning that criminal actors have been able to use these breaches to exploit loopholes in legal processes that allow for expedited access to sensitive data without formal warrants in urgent emergency situations where time is critical. This tactic is particularly concerning because EDRs bypass the normal judicial oversight process, relying instead on trust between technology companies and government authorities to swiftly provide data in crisis situations.

As of August 2024, the FBI said it noticed “an uptick in criminal forum posts regarding conducting fraudulent emergency data requests,” adding that “cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes.”

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes,” the FBI’s advisory warns.

“While the concept of fraudulent emergency data requests was previously used by other threat actors, such as Lapsus$, the increase in postings on criminal forums regarding the process of emergency data requests and sale of compromised credentials has led to an increase of their use,” the FBI said.

The FBI is encouraging organizations to implement the recommendations in the mitigations section of its advisory “to reduce the likelihood and impact from submission of fraudulent emergency data requests to attempt to gain unauthorized access to personally identifiable information (PII).”

The FBI said that “enhanced password protocols implemented in early 2023 highlighted that a mandated increase in password length, the use of multi-factor-authentication (MFA) for users with administrative rights, policy controls directed at phishing, and improved baseline monitoring worked together to decrease successful attempts at cracking passwords and made networks more resilient to a threat actor’s initial intrusion and persistence.”

Companies like Apple, Meta, and others rely on authentication processes for law enforcement contacts but may not independently verify each request in real-time. This dependency on established relationships and trust with law enforcement though provides openings for impersonation to carry out fraudulent activity.

Hackers seeking to submit fraudulent EDRs usually start by compromising legitimate law enforcement or government email accounts through phishing to trick law enforcement personnel into disclosing credentials, which can then be used to log in to email accounts associated with EDRs.

Smaller police departments or government offices may have outdated cybersecurity practices, making them susceptible to credential theft, password re-use issues, or poor MFA practices. If a law enforcement email is part of a larger data breach that includes credentials or email addresses, hackers may attempt to use those credentials to access EDR portals or law enforcement systems.

In 2022, hackers successfully used stolen law enforcement email accounts to send fake EDRs to major companies like Apple and Meta, obtaining sensitive user data without a warrant. The requests, which appeared legitimate due to their origin from official email accounts, led the companies to disclose information, including user IP addresses and other data, which could then be used for subsequent attacks.

These unauthorized EDRs are often directed at individuals with valuable information or leverage, such as military, intelligence, and other government officials, tech executives, journalists, and even political activists. Access to data such as IP addresses or geolocation also allows attackers to track, harass, or extort these individuals, potentially leading to severe privacy and security risks.

The use of compromised law enforcement accounts to submit fraudulent EDRs has far-reaching implications. For example, when user data is disclosed without proper authorization, it violates privacy rights and can have real-life safety and security implications, especially for individuals targeted by bad actors. And as these abuses become more public, the trust between law enforcement and technology companies can be eroded, potentially slowing legitimate EDR responses and jeopardizing public safety during genuine emergencies.

The lack of oversight of the EDR process highlights the need for reform. Law enforcement agencies are under scrutiny for allowing access vulnerabilities, while tech companies face pressure to tighten their data-sharing protocols. In response, both the government and technology companies have begun implementing reforms to secure the EDR process and prevent future abuses.

Some tech companies have introduced additional layers of authentication for EDRs which include verifying the identity of the requester through multiple channels, such as direct callbacks to verified law enforcement contacts, or leveraging dedicated law enforcement portals that require stricter access controls.

Tech companies are also implementing stronger tracking mechanisms for EDR requests, such as logging IP addresses, timestamps, and contextual data to spot anomalies. Suspicious requests can be flagged, allowing security teams to investigate before data is disclosed.

The federal government, through agencies like the FBI and the Department of Homeland Security (DHS), are providing cybersecurity training and guidelines to law enforcement to reduce vulnerabilities in their systems. This includes strengthening password policies, mandatory use of multi-factor authentication, and best practices for handling EDR protocols.

Some government entities and advocacy groups have called for formal auditing and accountability processes for EDRs. Proposed measures include a legal mandate for agencies to retain records of all data requests and to allow for independent reviews if an abuse is suspected.

There have also been calls for legislative changes to limit the scope of EDRs or to require judicial oversight, even in emergency cases. Privacy advocates argue that these changes would protect user data from being accessed without due process, even under urgent circumstances.

In recognition of the problem, DHS has recommended that law enforcement agencies adopt stronger cybersecurity measures for any systems that handle or store sensitive credentials related to emergency data requests. This includes segregating access to email accounts, reinforcing endpoint security, and introducing mandatory, routine cybersecurity audits.

In its advisory, the FBI recommends that organizations “review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident. The cybersecurity landscape is ever evolving, and cyber threats are becoming increasingly sophisticated. Organizations need to stay ahead of the curve using proactive approaches to mitigate risks.”

The FBI recommends that common industry best practices be implemented.

Meanwhile, to protect against fraudulent EDRs, both the government and technology companies are considering additional reforms. One proposed solution is a government-run verification hub for EDR requests. Law enforcement agencies would submit requests to a centralized system where the identities of requesters could be verified before data is sent to tech companies. This would create a reliable chain of custody and allow for auditing.

Further, by standardizing protocols, companies and law enforcement could adopt consistent safeguards to close loopholes and make it harder for bad actors to exploit the process.

Some tech companies have begun to publish transparency reports that detail the number of EDRs they have received and how many were granted. Expanding this practice can help the public understand the scale of the issue and hold entities accountable for data privacy standards. And, because so many bad actors operate internationally, the government has also begun to strengthen its collaboration with global law enforcement agencies to quickly trace and counteract foreign actors who target US law enforcement credentials.

The abuse of EDRs underscores the vulnerability of digital emergency protocols in the face of increasingly sophisticated cyber adversaries. As government agencies and tech companies seek to protect sensitive data and prevent further abuses, they must also balance the need for rapid response to emergencies with stronger verification to prevent fraudulent requests. Ongoing security recommendations and reforms suggest a trajectory toward more secure and transparent systems that protect both public safety and user privacy.

Related Posts

Article Topics

 |   |   | 

Latest Biometrics News

 

Biometric Update Podcast digs into deepfakes with Pindrop CEO

Deepfakes are one of the biggest issues of our age. But while video deepfakes get the most attention, audio deepfakes…

 

Know your geography for successful digital ID adoption: Trinsic

A big year for digital identity issuance, adoption and regulation has widened the opportunities for businesses around the world to…

 

UK’s digital ID trust problem now between business and government

It used to be that the UK public’s trust in the government was a barrier to the establishment of a…

 

Super-recognizers can’t help with deepfakes, but deepfakes can help with algorithms

Deepfake faces are beyond even the ability of super-recognizers to identify consistently, with some sobering implications, but also a few…

 

Age assurance regulations push sites to weigh risks and explore options for compliance

Online age assurance laws have taken effect in certain jurisdictions, prompting platforms to look carefully at what they’re liable for…

 

The future of DARPA’s quantum benchmarking initiative

DARPA started the Quantum Benchmarking Initiative (QBI) in July 2024 to expand hardware capabilities and accelerate research. In April 2025,…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Market Analysis

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events