Cellebrite Accidentally Leaked Thousands Of Sensitive Documents During Handover To Japanese Corporate Partner

(Mis)Uses of Technology

from the as-if-someone-hooked-up-a-Cellebrite-to-Cellebrite dept

When a Cellebrite device is hooked up to a seized phone, the operator presses a few buttons to pull pretty much every bit of data from the device. From there, investigators can try to find the evidence they’re seeking. While the FBI continues to claim device encryption is preventing law enforcement from accessing evidence, plenty of private companies are providing solutions to the problem the FBI claims is unsolvable without backdoors.

It looks as though Cellebrite cellebrited itself a few years ago. Somehow, during normal day-to-day business operations involving its Japanese stakeholder, it performed a data dump of epic proportions that ultimately made its way into the hands of Japanese regulators. Omar Benjakob has the exclusive report for Israeli news outlet, Haaretz.

Sensitive and confidential information relating to intelligence, defense and law enforcement agencies across the globe, including the FBI and Interpol, leaked from Israeli firm Cellebrite, according to court documents cleared for publication at Haaretz’s request.

The information is from 2015-2017 and includes almost half a million emails belonging to senior officials and directors at Cellebrite, their internal communications and exchanges with clients, invoices and even contracts.

These documents first ended up in the hands of Cellebrite’s main shareholder, the Japanese Sun Corporation. From there, they went to Japanese government authorities, who were investigating whether Sun Corporation made use of this sensitive Cellebrite info to engage in insider trading.

All of this was done without the knowledge of Cellebrite’s many customers, who had their internal discussions shared with a stakeholder (which may have been expected to have some access to proprietary info) and Japanese authorities. It also appears to have happened without the knowledge of Cellebrite, which then approached its legal reps to assess the potential fallout of this unexpected leak.

In one of the documents, lawyers hired by Cellebrite wrote: “It is our belief that should the knowledge that such sensitive information was provided to the Japanese authorities be disclosed to Cellebrite customers, it may cause severe reputational damage to Cellebrite (with such clients and others).”

“Cellebrite customers are likely to request to receive from Cellebrite complete disclosure relating to the information disseminated to the foreign authorities, in order to evaluate their exposure,” according to the legal opinion written at Cellebrite’s behest in 2018 and whose publication was cleared by Israeli courts last week.

It’s not just the proprietary info, insight into Cellebrite’s customer base, and internal communications that raise these concerns. It’s also a criminal act in many countries to disseminate sensitive information linked to national security efforts or criminal investigations, even if done inadvertently or without malice. The exposure of this leak could see Cellebrite investigated and charged for mishandling this sensitive information.

The leak shows plenty of government agencies around the world are either current or former customers, including the FBI, DHS, US Marshals Service, ICE, the Royal Canadian Mounted Police, Interpol, the UK Ministry of Defence, and, more oddly, entities like NASA and the Russian embassy in Tokyo.

With all this exposed, thanks to a lawsuit between Cellebrite and consultant David Spector, Cellebrite is playing belated defense, claiming this is nothing more than showboating by Spector and that its massive leak never harmed anyone, much less the now-publicly traded company.

The documents, Cellebrite said, were added to the lawsuit by Spector “for PR purposes only, and with the clear knowledge that this suit is baseless, does not hold water and does not hold any public interest.”

Cellebrite stressed that “the event described in this report happened five years ago and did not have any effect whatsoever on the company’s activities.”

Well, the “PR purposes” part of it appears to be working, even if that was not Spector’s intent. Cellebrite no doubt assures customers their communications, as well as the trade secrets that make Cellebrite worth purchasing, will be well-protected. A massive leak like this is far from reassuring.

As for this having no effect on the company’s activities… well, that remains to be seen. When the leak was still a secret, it may have had minimal effect. But now it’s public knowledge, and that could have some negative effects on Cellebrite’s future.

Filed Under: data breach, david spector, hack, leak
Companies: cellebrite, sun corporation