GDPR privacy can be defeated using right of access requests

A British researcher has uncovered an ironic security hole in the EU’s General Data Protection Regulation (GDPR) – right of access requests.

Right of access, also called subject access, is the part of the GDPR regulation that allows individuals to ask organisations for a copy of any data held on them.

This makes sense because, as with any user privacy system, there must be a legally enforceable mechanism which allows people to check the accuracy and quantity of personal data.

Unfortunately, in what can charitably be described as a massive GDPR teething problem, Oxford University PhD student James Pavur has discovered that too many companies are handing out personal data when asked, without checking who’s asking for it.

In his session entitled GDPArrrrr: Using Privacy Laws to Steal Identities at this week’s Black Hat show, Pavur documents how he decided to see how easy it would be to use right of access requests to ‘steal’ the personal data of his fiancée (with her permission).

After contacting 150 UK and US organisations posing as her, the answer was not hard at all.

According to the accounts by journalists who attended the session, for the first 75 contacted by letter, he impersonated her by providing only information he was able to find online full name, email address, phone numbers – which some companies responded to by supplying her home address.

Armed with this extra information, he then contacted a further 75 by email, which satisfied some to the extent they sent back his fiancee’s social security number, previous home addresses, hotel logs, school grades, whether she’d used online dating, and even her credit card numbers.

Pavur didn’t even need to fake identity documents or forge signatures to back up his requests and didn’t spoof her real email addresses to make his requests seem more genuine.