One of the key features of the GDPR is that any person could ask for a copy of any data about himself or herself that is stored online. This is called right of access and it enables people to check the accuracy of the data kept on them.
But a researcher has discovered a serious flaw: Too many companies are simply releasing copies of personal data to anyone asking for them. Sometimes, these companies don’t even try to verify the identity of the person seeking to obtain the data.
John E. Dunn filed this report for Naked Security:
Unfortunately, in what can charitably be described as a massive GDPR teething problem, Oxford University PhD student James Pavur has discovered that too many companies are handing out personal data when asked, without checking who’s asking for it.
In his session entitled GDPArrrrr: Using Privacy Laws to Steal Identities at this week’s Black Hat show, Pavur documents how he decided to see how easy it would be to use right of access requests to ‘steal’ the personal data of his fiancée (with her permission).
After contacting 150 UK and US organizations posing as her, the answer was not hard at all. According to the accounts by journalists who attended the session, for the first 75 contacted by letter, he impersonated her by providing only information he was able to find online – full name, email address, phone numbers – which some companies responded to by supplying her home address.
Armed with this extra information, he then contacted a further 75 by email, which satisfied some to the extent they sent back his fiancee’s social security number, previous home addresses, hotel logs, school grades, whether she’d used online dating, and even her credit card numbers.
Pavur didn’t even need to fake identity documents or forge signatures to back up his requests and didn’t spoof her real email addresses to make his requests seem more genuine.
