Cellebrite Accidentally Leaked Thousands Of Sensitive Documents During Handover To Japanese Corporate Partner

from the as-if-someone-hooked-up-a-Cellebrite-to-Cellebrite dept

When a Cellebrite device is hooked up to a seized phone, the operator presses a few buttons to pull pretty much every bit of data from the device. From there, investigators can try to find the evidence they’re seeking. While the FBI continues to claim device encryption is preventing law enforcement from accessing evidence, plenty of private companies are providing solutions to the problem the FBI claims is unsolvable without backdoors.

It looks as though Cellebrite cellebrited itself a few years ago. Somehow, during normal day-to-day business operations involving its Japanese stakeholder, it performed a data dump of epic proportions that ultimately made its way into the hands of Japanese regulators. Omar Benjakob has the exclusive report for Israeli news outlet, Haaretz.

Sensitive and confidential information relating to intelligence, defense and law enforcement agencies across the globe, including the FBI and Interpol, leaked from Israeli firm Cellebrite, according to court documents cleared for publication at Haaretz’s request.

The information is from 2015-2017 and includes almost half a million emails belonging to senior officials and directors at Cellebrite, their internal communications and exchanges with clients, invoices and even contracts.

These documents first ended up in the hands of Cellebrite’s main shareholder, the Japanese Sun Corporation. From there, they went to Japanese government authorities, who were investigating whether Sun Corporation made use of this sensitive Cellebrite info to engage in insider trading.

All of this was done without the knowledge of Cellebrite’s many customers, who had their internal discussions shared with a stakeholder (which may have been expected to have some access to proprietary info) and Japanese authorities. It also appears to have happened without the knowledge of Cellebrite, which then approached its legal reps to assess the potential fallout of this unexpected leak.

In one of the documents, lawyers hired by Cellebrite wrote: “It is our belief that should the knowledge that such sensitive information was provided to the Japanese authorities be disclosed to Cellebrite customers, it may cause severe reputational damage to Cellebrite (with such clients and others).”

“Cellebrite customers are likely to request to receive from Cellebrite complete disclosure relating to the information disseminated to the foreign authorities, in order to evaluate their exposure,” according to the legal opinion written at Cellebrite’s behest in 2018 and whose publication was cleared by Israeli courts last week.

It’s not just the proprietary info, insight into Cellebrite’s customer base, and internal communications that raise these concerns. It’s also a criminal act in many countries to disseminate sensitive information linked to national security efforts or criminal investigations, even if done inadvertently or without malice. The exposure of this leak could see Cellebrite investigated and charged for mishandling this sensitive information.

The leak shows plenty of government agencies around the world are either current or former customers, including the FBI, DHS, US Marshals Service, ICE, the Royal Canadian Mounted Police, Interpol, the UK Ministry of Defence, and, more oddly, entities like NASA and the Russian embassy in Tokyo.

With all this exposed, thanks to a lawsuit between Cellebrite and consultant David Spector, Cellebrite is playing belated defense, claiming this is nothing more than showboating by Spector and that its massive leak never harmed anyone, much less the now-publicly traded company.

The documents, Cellebrite said, were added to the lawsuit by Spector “for PR purposes only, and with the clear knowledge that this suit is baseless, does not hold water and does not hold any public interest.”

Cellebrite stressed that “the event described in this report happened five years ago and did not have any effect whatsoever on the company’s activities.”

Well, the “PR purposes” part of it appears to be working, even if that was not Spector’s intent. Cellebrite no doubt assures customers their communications, as well as the trade secrets that make Cellebrite worth purchasing, will be well-protected. A massive leak like this is far from reassuring.

As for this having no effect on the company’s activities… well, that remains to be seen. When the leak was still a secret, it may have had minimal effect. But now it’s public knowledge, and that could have some negative effects on Cellebrite’s future.

Filed Under: , , ,
Companies: cellebrite, sun corporation

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cellebrite Accidentally Leaked Thousands Of Sensitive Documents During Handover To Japanese Corporate Partner”

Subscribe: RSS Leave a comment
6 Comments
Anonymous Coward says:

Re: and in unrelated news...

from signal…

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.

That One Guy (profile) says:

Few things are more sour than tasting your own medicine

Oh that is just too good, a company that sells and profits off the access of private data that isn’t theirs for others to pour over and look for incriminating stuff has their private data handed over to third parties for other people to look over and look for incriminating stuff.

LostInLoDOS (profile) says:

Re:

In all the reports of government (mis)use people tend to forget, or not understand, just how useful such tools are for more, um, tasteful reasons.

Cell phone stores use to to move device date from one phone to brother, even when severely damaged.
Technicians use them to make full backups before major phone or tablet repair.
So the issue is not in the product existing but rather how it is used.

All said, though, this is a major whoops 😅

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...