Hackers are pretending to be police officers and tricking major tech companies like Apple, Amazon, and Charter Communications into giving away sensitive customer data. They use fake documents and fake email addresses to do this. This problem isn’t new, but recent reports show just how easy it is for criminals to get your personal information in just minutes.
According to Wired, this scam works like a service that hackers sell to others. On September 4, a privacy specialist at Charter Communications received an emergency data request by email. The email looked like it came from “Officer Jason Corse” from the Jacksonville Sheriff’s Office.
Within minutes, the specialist gave out the target’s name, home address, phone numbers, and email address. But the request didn’t actually come from a real police officer. It came from a hacker who is part of a group that specializes in doxing. Doxing means publishing private information about someone online without their permission.
Hackers are exploiting a major flaw in how emergency requests work
A hacker called Exempt claims his group has successfully gotten data from almost every major US tech company, including smaller platforms like Rumble. Exempt said the Charter incident “took all of 20 minutes.” He claims his group has made up to 500 successful requests in recent years and earned over $18,000 in August alone. When asked what the stolen information is used for, Exempt simply said, “I usually do not care.”
The hackers take advantage of a big weakness in the US legal system called the Emergency Data Request, or EDR. When police need to identify a user or get account details, they usually send a subpoena or warrant. But EDRs are used when there’s an immediate threat of harm or death. These requests skip strict verification steps because companies feel pressured to respond quickly to possibly save a life.
Because there are about 18,000 different law enforcement agencies across the US, all with different email styles and domains, it’s easy for hackers to fake their identity. Exempt explained how they tricked Charter Communications.
The real Jacksonville Sheriff’s Office domain is jaxsheriff.org. The hackers bought jaxsheriff.us instead. They also spoofed their phone number to match the department’s main line. When Charter called to verify the request, the number came back to the real Sheriff’s Office, so the company had no reason to doubt the email.
The hackers also create very convincing fake official documents. Exempt said they look at real subpoenas available through public records and copy the correct legal wording. They even check online to make sure the judge named on the fake warrant is actually in court that day. This way, if a company tries to call the judge, they would be in the building but too busy to verify the document.
Some companies have caught and blocked these imposters. Amazon admitted that one hacker received basic account data for fewer than ten customers before being stopped. While Amazon has faced its own customer service controversies, this security issue affects all tech giants equally. Matt Donahue, a former FBI agent, founded a company called Kodex that provides secure online portals for law enforcement requests. He noted that email wasn’t built for the identity verification needed today.
However, over 80 percent of companies still accept EDRs via email. Major retailers like Walmart have their own technology challenges to manage, but this data security problem is far more serious. Even worse, hackers are now adapting to these secure portals.
Published: Dec 12, 2025 12:00 pm