Cellebrite Accidentally Leaked Thousands Of Sensitive Documents During Handover To Japanese Corporate Partner
from the as-if-someone-hooked-up-a-Cellebrite-to-Cellebrite dept
When a Cellebrite device is hooked up to a seized phone, the operator presses a few buttons to pull pretty much every bit of data from the device. From there, investigators can try to find the evidence they’re seeking. While the FBI continues to claim device encryption is preventing law enforcement from accessing evidence, plenty of private companies are providing solutions to the problem the FBI claims is unsolvable without backdoors.
It looks as though Cellebrite cellebrited itself a few years ago. Somehow, during normal day-to-day business operations involving its Japanese stakeholder, it performed a data dump of epic proportions that ultimately made its way into the hands of Japanese regulators. Omar Benjakob has the exclusive report for Israeli news outlet, Haaretz.
Sensitive and confidential information relating to intelligence, defense and law enforcement agencies across the globe, including the FBI and Interpol, leaked from Israeli firm Cellebrite, according to court documents cleared for publication at Haaretz’s request.
The information is from 2015-2017 and includes almost half a million emails belonging to senior officials and directors at Cellebrite, their internal communications and exchanges with clients, invoices and even contracts.
These documents first ended up in the hands of Cellebrite’s main shareholder, the Japanese Sun Corporation. From there, they went to Japanese government authorities, who were investigating whether Sun Corporation made use of this sensitive Cellebrite info to engage in insider trading.
All of this was done without the knowledge of Cellebrite’s many customers, who had their internal discussions shared with a stakeholder (which may have been expected to have some access to proprietary info) and Japanese authorities. It also appears to have happened without the knowledge of Cellebrite, which then approached its legal reps to assess the potential fallout of this unexpected leak.
In one of the documents, lawyers hired by Cellebrite wrote: “It is our belief that should the knowledge that such sensitive information was provided to the Japanese authorities be disclosed to Cellebrite customers, it may cause severe reputational damage to Cellebrite (with such clients and others).”
“Cellebrite customers are likely to request to receive from Cellebrite complete disclosure relating to the information disseminated to the foreign authorities, in order to evaluate their exposure,” according to the legal opinion written at Cellebrite’s behest in 2018 and whose publication was cleared by Israeli courts last week.
It’s not just the proprietary info, insight into Cellebrite’s customer base, and internal communications that raise these concerns. It’s also a criminal act in many countries to disseminate sensitive information linked to national security efforts or criminal investigations, even if done inadvertently or without malice. The exposure of this leak could see Cellebrite investigated and charged for mishandling this sensitive information.
The leak shows plenty of government agencies around the world are either current or former customers, including the FBI, DHS, US Marshals Service, ICE, the Royal Canadian Mounted Police, Interpol, the UK Ministry of Defence, and, more oddly, entities like NASA and the Russian embassy in Tokyo.
With all this exposed, thanks to a lawsuit between Cellebrite and consultant David Spector, Cellebrite is playing belated defense, claiming this is nothing more than showboating by Spector and that its massive leak never harmed anyone, much less the now-publicly traded company.
The documents, Cellebrite said, were added to the lawsuit by Spector “for PR purposes only, and with the clear knowledge that this suit is baseless, does not hold water and does not hold any public interest.”
Cellebrite stressed that “the event described in this report happened five years ago and did not have any effect whatsoever on the company’s activities.”
Well, the “PR purposes” part of it appears to be working, even if that was not Spector’s intent. Cellebrite no doubt assures customers their communications, as well as the trade secrets that make Cellebrite worth purchasing, will be well-protected. A massive leak like this is far from reassuring.
As for this having no effect on the company’s activities… well, that remains to be seen. When the leak was still a secret, it may have had minimal effect. But now it’s public knowledge, and that could have some negative effects on Cellebrite’s future.
Filed Under: data breach, david spector, hack, leak
Companies: cellebrite, sun corporation
Comments on “Cellebrite Accidentally Leaked Thousands Of Sensitive Documents During Handover To Japanese Corporate Partner”
NASA has its own security, police and SWAT.
This is not the only issue they have:
https://signal.org/blog/cellebrite-vulnerabilities/
it seems cellebrite may be engaged in copyright infringement.
And using cellebrite tools may provide an opportunity for the cellebrite customer to have their system(s) compromised
Re: and in unrelated news...
from signal…
Few things are more sour than tasting your own medicine
Oh that is just too good, a company that sells and profits off the access of private data that isn’t theirs for others to pour over and look for incriminating stuff has their private data handed over to third parties for other people to look over and look for incriminating stuff.
Re:
In all the reports of government (mis)use people tend to forget, or not understand, just how useful such tools are for more, um, tasteful reasons.
Cell phone stores use to to move device date from one phone to brother, even when severely damaged.
Technicians use them to make full backups before major phone or tablet repair.
So the issue is not in the product existing but rather how it is used.
All said, though, this is a major whoops 😅
Nothing to see here!
The public has a funny way of deciding for itself what is and what is not interesting.
https://www.youtube.com/watch?v=aKnX5wci404