For Cyber and Data Security, Companies Are Only as Strong as Their Weakest Links

Cybercrime is on the rise and continues to come in all shapes and sizes. Late last month, it was discovered that hackers gained access to the underlying blockchain that powers Axie Infinity, a very popular NFT-based online video game, and stole the equivalent of $625 million in cryptocurrency. The breach represents the second biggest hack in crypto history. 

As troubling is a recent announcement by Apple Inc. and Meta Platforms Inc—Facebook’s parent company—that they were hoodwinked into handing over customer data (read: personal addresses, phone numbers and IP addresses) to hackers posing as law enforcement. This happened in the middle of last year, when the tech giants were sent forged “emergency data requests” from hacked email domains belonging to multiple law enforcement agencies. Snap Inc. was also on the receiving end of these forgeries, though it’s unclear if that company took the bait. 

By way of background, emergency data requests are a tool that law enforcement leverages to obtain user information when conducting criminal investigations. Typically accompanied by a search warrant or subpoena signed off by a judge, these requests are legally sufficient even in the absence of court orders. 

For their part, Apple and Meta did what they could to verify the veracity of the emergency data requests in line with ongoing efforts to flag suspected fraud. Nonetheless, customer data was allowed to be stolen, and conventional wisdom suggests it was exploited to facilitate financial fraud. For instance, the personal information illegally gathered could be used to bypass account security measures. 

Apple and Meta were duped because their verification procedures relied upon information that could not be confirmed by their compliance departments. What made these cyberattacks particularly dangerous is that they were not merely technical; instead, the breaches successfully blended technical tools with human engineering. With these hacks, black hats—cyber criminals looking to break into computer networks with malicious intent—penetrated email systems of government agencies, and then used that access to forge documents that were trusted by internal compliance teams. 

These attacks highlight how important it is for companies to approach cybersecurity at not just the technical level, but also operationally and with iron clad policies so as to limit the chance of technical penetrations leading to human errors. No doubt about it, companies like Apple, Meta, Axe Infinity and the like are constant targets of cyber criminals. And as hackers become more and more sophisticated and brazen, data privacy becomes an increasingly complex undertaking, requiring ongoing vigilance and professional attention. 

That being said, combatting the unyielding efforts of hackers requires not only technical safeguards, but human oversight, which is why comprehensive cyber and data policies and training are critical for every organization. Remember, for purposes of cyber and data security, organizations large and small are only as strong as their weakest links.  

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.