Sean Zadig is the Chief Information Security Officer for tech giant Yahoo. He brings to the role a...
Kodex's team at a recent offsite in Nashville
We are seeing a massive shift happening in how crimes are investigated and solved.
The best witness has evolved from a human to a company, but law enforcement doesn’t intuitively know how to navigate the appropriate legal channels at most companies. Confusion bubbles, frustration ensues, and now law enforcement and companies are fighting each other instead of the bad guys. This is the frustration I felt in the FBI and why I left to start Kodex.
Inefficiency Creates Big Brother Behavior
Lawful data requests have replaced witness canvassing as the primary component of a modern investigation. These requests are regulated by several privacy and data protection laws including GDPR, CALEA, RFPA, and ECPA. Law enforcement and companies are expected to comply with these regulations for compiling and transferring data related to lawful investigations.
An overly broad scope or an inappropriate request from law enforcement often generates the feeling of “Big Brother” among companies and their users. Yet, these kinds of requests are usually the result of law enforcement investigators not knowing how or what to ask for. Because data structures around identifiers differ across industries and companies, wide nets get cast to compensate for a shallow or inaccurate understanding of data practices inside individual companies. Law enforcement doesn’t want to sift through more data than they need because it slows down their investigation. They want to be both precise and accurate in their requests.
Companies that use Kodex can enforce their unique guidelines for law enforcement to ensure requests are appropriately scoped to be precise and accurate for their business. On the flip side, law enforcement investigators using Kodex know upfront what kind of data can be requested from each company and what information needs to be provided in the initial request. A more efficient process makes it easier for everyone to comply with data protection and privacy regulations by eliminating inaccurate or overly broad requests.
As investigations evolve, so do the hackers
A perfect storm is happening for legal response teams: the volume of lawful requests is increasing, while the risk of responding to fraudulent law enforcement requests is also at an all-time high.
The lawful data response process has been a major security weak spot for corporations. I call it the black sheep of data security strategy because often internal responders, like Law Enforcement Response Teams (LERT), don’t have a centralized home within the organization.
And they may not be connected to relevant teams within their company. Response duties are typically spread across functions, from legal to customer support, with security, privacy, and compliance often out of the loop. In this environment, inconsistent procedures, policies, and operations are common. This allows major gaps in the response process and creates repositories of unstructured data, all of which are very inviting to data thieves.
Getting from ‘maybe someday’ to ‘mission critical’
In calling attention to the weaknesses in the lawful response process, I use the term mission critical intentionally. The textbook definition of mission-critical is an activity or system that, should it fail or be disrupted, could cause significant harm to businesses, humans, or both. Today, protecting your company against fraudulent lawful data requests, especially law enforcement, fits squarely into that high-priority category.
Outdated systems face new and evolving risks
In just the three years since building and launching the Kodex platform, I’ve been astounded by the inventiveness and aggressiveness of hackers targeting corporations through the law enforcement data request channel (which for many companies today, consists of an insecure email inbox.) Here are some recent trends I want to call out:
- Hackers, data thieves, and extortionists discovered the ‘soft underbelly’ of the law enforcement data request channel. In turn, they have rapidly escalated the sophistication and frequency of attacks using compromised credentials, fake Emergency Data Requests (EDRs), and other methods to steal targeted, highly sensitive personal data. As our monthly threat intelligence reports show, law enforcement email compromise (LEEC) is on the rise with new attacks on a weekly basis.
- In a major shift, IBM found that stealing credentials is now a hacker’s number one go-to method. Their research reveals that bad actors prefer using stolen valid credentials over phishing and other methods of compromise to access employee and company data.
- The dark web is increasingly awash in low-cost tools to manipulate the request process. Stolen EDR templates, unmanaged or expired law enforcement domains, forged court orders and more are all for sale to criminals online.
- Large, tech-savvy companies are not immune. While they may have a more organized approach to legal data requests, big companies can still make mistakes. For example, in 2022, Apple and Meta gave user data to criminals using forged EDRs and compromised law enforcement email accounts.
And then there is the complex and quickly evolving issue of data protection and privacy regulations around the world. Many jurisdictions have specific requirements for companies that pertain to the scope, user notice, and public transparency of law enforcement requests.
The threats are real, and so are the results for Kodex customers.
Despite the intensifying threats and organizational complexities facing businesses as they struggle to respond to more and more data requests, things are starting to change. In my conversations with business leaders across industries, I am seeing a growing awareness of the vulnerabilities of their current process and many are ready to take action.
In fact, we’ve seen a strong response to our solution and that is incredibly gratifying. There are many success stories we can share, but here are a couple of examples of how the Kodex platform has enabled a more secure and efficient response process for our customers.
Setting a new standard for security and efficiency
Every company adopting Kodex as their ‘front door’ to external requesters is adopting a zero-tolerance policy for sending private data to bad actors. During request intake, they are capturing structured data via Kodex’s dynamic intake forms instead of sifting through freeform responses via email. With structured data in hand, they are easily connecting external and internal identifiers, and producing the exact amount of data to comply with requests.
I’m extremely proud of the results. A few to share:
- Kodex customers have been shielded from thousands of fake requests using compromised government emails including several .gov hacks that would have been indistinguishable without Kodex’s threat monitoring.
- A messaging app using Kodex responds to emergency data requests in under 12 minutes, without opening up the company to risk.
- Another online brand has leveraged our APIs so that each inbound request requires only two quick reviews by a team member, with automation handling the verification and data production pieces. This saves each ops person 12+ hours a week.
The bad guys never let up, so neither do we.
My experience working at the FBI taught me how criminals think and how they adapt their strategies to changing conditions. This insight has helped us build a comprehensive and forward-looking solution that is constantly expanding and improving in anticipation of new threats.
In addition, we are focused on how we can meet the growing needs of our customers, who are facing an unprecedented volume of law enforcement requests.
Our mission is critical and our vision is clear
A while back I shared the story of what inspired me to build Kodex. That passion - to help protect society from real and credible threats while enabling the highest possible level of user privacy and trust - has only increased for me and my amazing team.
As the pressure on businesses to increase operational efficiency without sacrificing security or customer privacy continues to grow, Kodex customers have peace of mind that a requestor is legitimate. They can receive requests in a standardized format to enforce internal and regulatory requirements and eliminate time-intensive back-and-forth communication upfront. And they can access data for audits and transparency reporting with a single click.
If you’d like to join the many businesses in the Kodex community or learn how the Kodex platform works please contact us. You can also learn more by downloading our latest whitepaper on the security and privacy risks created by fake emergency data requests.