Feds Forced Travel Firms to Share Surveillance Data on Hacker

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

The U.S. government ordered two travel companies to provide information about the movement of a Russian citizen suspected of hacking. The surveillance data was used as part of an investigation by the U.S. Secret Service, according to court documents recently unsealed.

The revelation of the extent of surveillance that the feds ordered companies to do in a 2015 investigation of Russian hacker Aleksei Burkov once again raises questions of privacy, accountability and responsibility in terms of how much access the government should have to an individual’s private data.

A letter from Forbes prompted the unsealing of court documents in the case Burkov, a now-infamous cybercriminal who at the time of the investigation was suspected of facilitating the theft of $20 million from stolen credit cards on a website called Cardplanet that he was running on the dark web.Infosec Insiders Newsletter

The feds arrested Burkov at Ben-Gurion Airport near Tel Aviv in December 2015, and he eventually was extradited to the U.S. in 2019. In January 2020, he pleaded guilty to one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud and money laundering.

Burkov eventually was sentenced to nine years in a federal prison, but mysteriously sent back to Russia in September 2021 for reasons which are still unclear, according to Forbes.

Forbes submitted a legal challenge to unseal documents in the case, which it won, subsequently publishing a report this week on what those documents revealed: extensive surveillance of Burkov by two travel companies, U.S.-based Sabre and U.K.-based Travelport, at the behest of the feds. The government used this data to track Burkov’s movements which eventually led to his arrest and prosecution.

Tracking Burkov’s Movement

The court documents show that in November 2015, a judge in the U.S. District Court for the Eastern District of Virginia granted a request by the U.S. government and ordered Sabre and Travelport to provide “all records, services and usages” of Burkov for a two-year period following the issuing of the order. The companies also had to provide a “real time” report on a weekly basis of  Burkov’s account activity to the feds.

The order was granted under the All Writs Act, a broad, 233-year-old law that allows for the government to “issue all writs necessary and appropriate” to aid authorities in their quest for the “proper administration of justice.”

The act is open to interpretation and has already been used a number of times by the U.S. government as a means of forcing tech companies into giving up information to aid them in investigations—a situation the American Civil Liberties Union deems “improper use.”

Indeed, the act has most often been used against tech giants Google and Apple to force them to help the federal government unlock Android devices or iPhones of suspects in criminal cases.

The most high-profile of these cases came after a 2015 mass shooting in San Bernadino, Calif., when Apple held its ground in its refusal to unlock the iPhone of shooter Syed Rizwan Farook. Eventually, the case came to end when the FBI managed to unlock the device without Apple’s help.

Privacy Issues or Just Cause?

While privacy advocates believe the federal use of the courts to force tech companies to give up data that customers shared with them in privacy is an overreach, security professionals for the most part support the action in the case of criminal investigations—to a point.

The monitoring of Burkov’s movement to apprehend him was justified due to the criminal nature of his activity, one security professional told Threatpost.

“After reviewing the facts of the case, a federal judge agreed there was enough cause and issued a ruling that authorized this activity,” Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer and current senior vice president at security firm KnowBe4, wrote in an email to Threatpost. “This was not a case of rogue government officials conducting unapproved data collection.”

Another security professional said that he’s not overly concerned if the federal government uses legal means to get access to private data collected by technology companies. However, it’s not always clear who has access to the “massive troves of data” being collected by companies like Meta and Google, observed John Bambenek, Principal Threat Hunter at security and operations analytics company Netenrich, in an email to Threatpost. This, he said, is concerning and should be remedied.

“Whether its Meta saying they can’t figure out where personal data is being used inside Meta, or law enforcement being able to get real time information on suspects, society just hasn’t come to grips with the implications of surveillance capitalism,” he said.

Suggested articles