Security News > 2022 > April > Hackers Using Fake Police Data Requests against Tech Companies
Brian Krebs has a detailed post about hackers using fake police data requests to trick companies into handing over data.
Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.
In certain circumstances - such as a case involving imminent harm or death an investigating authority may make what's known as an Emergency Data Request, which largely bypasses any official review and does not require the requestor to supply any court-approved documents.
Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.
If law enforcement's keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege.
Law enforcement's stated need for rapid access to data would make it impractical to store keys offline or split keys among multiple keyholders, as security engineers would normally do with extremely high-value credentials.