Security

Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data

Revenge plan morphs into data leak discovery


Black Hat When Europe introduced the General Data Protection Regulation (GDPR) it was supposed to be a major step forward in data safety, but sloppy implementation and a little social engineering can make it heaven for identity thieves.

In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée, including credit card and social security numbers, passwords, and even her mother's maiden name.

"Privacy laws, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them."

Pavur's research started in an unlikely place - the departure lounge of a Polish airport. After the flight he and his fiancée were supposed to travel on was delayed, they joked about spamming the airline with GDPR requests to get revenge. They didn't, but it sparked an idea to see what information you could get on other people and Pavur's partner agreed to act as a guinea pig for the experiment.

For social engineering purposes, GDPR has a number of real benefits, Pavur said. Firstly, companies only have a month to reply to requests and face fines of up to 4 per cent of revenues if they don't comply, so fear of failure and time are strong motivating factors.

In addition, the type of people who handle GDPR requests are usually admin or legal staff, not security people used to social engineering tactics. This makes information gathering much easier.

Over the space of two months Pavur sent out 150 GDPR requests in his fiancée's name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they had information on her.

Interestingly, five per cent of responses, mainly from large US companies, said that they weren’t liable to GDPR rules. They may be in for a rude shock if they have a meaningful presence in the EU and come before the courts.

Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fiancée. A further 16 per cent requested easily forged ID information and 3 per cent took the rather extreme step of simply deleting her accounts.

Marketing biz bares folks' data in the act of asking for their GDPR comms preferences

READ MORE

A lot of companies asked for her account login details as proof of identity, which is actually a pretty good idea, Pavur opined. But when one gaming company tried it, he simply said he'd forgotten the login and they sent it anyway.

The range of information the companies sent in is disturbing. An educational software company sent Pavur his fiancée's social security number, date of birth and her mother's maiden name. Another firm sent over 10 digits of her credit card number, the expiration date, card type and her postcode.

A threat intelligence company - not Have I been Pwned - sent over a list of her email addresses and passwords which had already been compromised in attacks. Several of these still worked on some accounts - Pavur said he has now set her up with a password manager to avoid repetition of this.

"An organisation she had never heard of, and never interacted with, had some of the most sensitive data about her," he said. "GDPR provided a pretext for anyone in the world to collect that information."

Fixing this issue is going to take action from both legislators and companies, Pavur said.

First off, lawmakers need to set a standard for what is a legitimate form of ID for GDPR requests. One rail company was happy to send out personal information, accepting a used envelope addressed to the fiancée as proof of identity.

He suggested requesting account login details were a good idea, but there's always the possibility that such accounts have been pwned. A driver's licence would also be a good alternative, although fake IDs are rife.

Companies should be prepared to refuse information requests unless proper proof is required, he suggested. It may come to a court case, but being seen to protect the data of customers would be no bad thing. ®

Send us news
138 Comments

Meta's pay-or-consent model under fire from EU consumer group

Company 'strongly disagrees' with law infringement allegations

Sage Copilot grounded briefly to fix AI misbehavior

'Minor issue' with showing accounting customers 'unrelated business information' required repairs

Europe coughs up €400 to punter after breaking its own GDPR data protection rules

PLUS: Data broker leak reveals extent of info trading; Hot new ransomware gang might be all AI, no bark; and more

Ireland fines Meta for 2018 'View As' breach that exposed 30M accounts

€251 million? Zuck can find that in his couch cushions, but Meta still vows to appeal

Yet another UK government seeks to reform GDPR

Yes, the law that needs to be harmonized with Europe for tech businesses' data to flow freely

'Consent' LinkedIn used for data processing was not freely given, says Ireland

Microsoft-owned social media for suits site gets €310M fine, told to get compliant

NHS would be hit by 'significant' costs if UK loses EU data status, warn Lords

As another government yet again seeks to reform UK GDPR, legislators say data must continue to flow

Ryanair faces GDPR turbulence over customer ID checks

Irish data watchdog opens probe after 'numerous complaints'

NHS England warned about plans to extend Covid-era rules for patient data access

Governance and public consultation need work before rule change goes ahead

Netherlands fines Uber €290M for improper EU-US driver data transfers

The ride-sharing provider insists it broke no rules during the three-year legal gap

Data watchdog fines Clearview AI $33M for 'illegal' data collection

Selfie-scraper again claims European law does not apply to it

Microsoft ad subsidiary Xandr accused of violating GDPR

Access, deletion requests go ignored, and consumer profiles contradict themselves, complaint alleges