A recent Bloomberg piece highlighted how Meta Platforms, Inc., (parent company of Facebook) and Apple, Inc., had been successfully socially engineered into providing customer data in response to \u201cemergency data requests\u201d to individuals who they believed to be representing the U.S. government. If your entity is collecting customer data, it is possible you\u2019ll receive a lawful request for the data from a government entity. This may take the form of a warrant, subpoena or national security letter. Do you have a process for handling these requests?How these miscreants manipulated these conglomerates into providing data may have been made possible due to the heavy volume of requests received each day and the lack of checks and balances within the processes. Both Meta and Apple have published guidelines to be used by government entities to engage their companies to request information. Both rely on the use of online forms or email. Direct human interaction does not happen when requests are originated.Let\u2019s look at the processes for the two entities.Meta\/Facebook emergency data request processThe Meta\/Facebook guidelines cover a variety of scenarios, ranging from the U.S. legal process requirements to international requirements, to authenticity and account preservation, as well as child safety matters, data retention, format, user consent and notification of individuals, and the \u201cemergency request.\u201dFor the emergency request, which was the means by which the organization was manipulated, the online request form carries warning notices on who may use it and how unauthorized requests are subject to prosecution. That said, the online request form is straightforward:We disclose account records solely in accordance with our terms of service and applicable law.If you are a law enforcement agent or emergency responder who is authorized to gather evidence in connection with an official investigation or in order to investigate an emergency involving the danger of serious physical injury or death, you may request records from Facebook through this system.I am an authorized law enforcement agent or government employee investigating an emergency, and this is an official requestCheck the box and move on to the next step.Provide \u201cThe name of the issuing authority and agent, email address from a law-enforcement domain, and direct contact phone number.The email address, phone number (+XXXXXXXXXX), user ID number (http:\/\/www.facebook.com\/profile.php?id=1000000XXXXXXXX) or username (http:\/\/www.facebook.com\/username) of the Facebook profile.Apple emergency data request processApple takes a different approach, issuing Guideline for Law Enforcement Requests in PDF. The guide is no less comprehensive than Meta\/Facebook and in many instances more so. The section on emergency request is, however, more comprehensive. Apple uses a separate PDF form \u201cEmergency Government\/Law Enforcement Information Request\u201d in which the requestor attests that the emergency involves circumstances or serious threats to \u201clife\/safety of individuals, the security of a State, or the security of critical infrastructure\/installations.\u201d The requestor then emails the request to a designated email address, with the subject line: \u201cEmergency Request.\u201dSocial engineering emergency data requestsAll who study social engineering know, you give the target what they are looking for and you add a sense of urgency for the provision of information or taking an action. In both companies, the process was similar, each requiring provision of the rationale for the request, identifying information, and point of contact.\u201cWe review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,\u201d Meta spokesman Andy Stone said in a statement provided to Bloomberg. \u201cWe block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.\u201dSo how could the events have transpired?It could have found its point of origin with the compromised email accounts associated with law enforcement. When law enforcement entities learn that an email account has been compromised, do they change the email? Remove the email from every pre-authorization engagement? Send out notices disavowing any legitimacy to an email originating from the compromised email?Probably not. With a compromised email in hand and a ready template provided by the target, the creation of the fake request is possible as easy as filling in the blanks. But what of the validation\/verification aspect? When the requesting party is providing all the contact data, they can control the engagement.Review emergency data request processesCISOs will be well served to review their processes with legal and HR to ensure that their entity isn\u2019t the next to be successfully targeted. Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, on processes, she observes, \u201cCompanies will be well served by having a \u2018business security officer\u2019.\u201d That is an individual within the business operations element who is responsible for the security of the business element and supported by the information security team.She continued how infrequently those who are doing internal threat monitoring include input from those who understand best how business is conducted. That is to say, those on the shop floor may be best positioned to provide input on how the current system bracketed by policy and procedures can be defeated.Plaggemier\u2019s advice is spot-on. Those who handle the requests day in and day out are best positioned to advise on how a third party may game the processes. Perhaps it is as simple as requiring pre-registration and third-party verification of authenticity before accepting a request from a given entity. What is required, however, is that each company must be able to independently verify the efficacy and credibility of the request.