This is both a privacy issue and a security issue. As Brian Krebs reports:
The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies.
In an alert (PDF) published this week, the FBI said it has seen un uptick in postings on criminal forums regarding the process of emergency data requests (EDRs) and the sale of email credentials stolen from police departments and government agencies.
“Cybercriminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” the FBI warned.
Read more at KrebsOnSecurity.com.
In April 2022, DataBreaches.net reported on how some criminals were sending fraudulent EDRs to target researchers and journalists. At that time, criminals appeared to be using compromised email accounts from U.S. law enforcement personnel to send their emergency requests. With the personal information in hand, threat actors could then get their targets swatted or arrange for violence against them or their families.
It was, and remains, a frightening risk if businesses that store personal information do not have adequate checks or protections against fake EDRs. Anyone can become a target of an EDR by criminals who will lie about the purpose for the EDR.