Europe’s GDPR, a major step forward in data protection, could turn into identity thieves' heaven, due to poor implementation and little social engineering.
James Pavur, a Ph.D. student at Oxford University, explained in a presentation at the Black Hat security conference held in Las Vegas how he was able to hack the GDPR system to access all sorts of sensitive information, including credit card and social security numbers – in this case of his fiancée.
“Privacy laws, like any other infosecurity control, have exploitable vulnerabilities,” he said. “If we'd look at these vulnerabilities before the law was enacted, we could pick up on them.”
James Pavur started his research thanks to a delayed flight. He and his girlfriend were waiting in the departure lounge of a Polish airport and joked about spamming the airline with GDPR requests, in retaliation to its delay. They ultimately didn’t put their plan in practice, but the joke sparked the idea of probing the GDPR system in search of information, and Pavur’s girlfriend accepted to be the subject for the experiment.
For two months, Pavur sent 150 GDPR requests in his girlfriend's name, asking for all data available on her. In total, 72 percent of companies replied, with 83 companies stating that they had information on her.
5 percent of responses, mainly coming from large US companies, declined any liability to GDPR rules.
Disturbingly, 24 percent of the responders accepted a simple email address and phone number as proof of identity and sent over any information they had on the person. 16 percent required just some additional ID information, while 3 percent decided to go the hard way and deleted the person’s account.
Several companies asked for her account credentials as proof of identity which, according to Pavur, is quite a good strategy. But in some cases, companies would still send the information, for example when the user claims to have lost the credentials.
The quantity and quality of the information sent by the companies are disturbing. An educational software sent the social security number, the date of birth, and mother’s maiden name of Pavur’s girlfriend. Another company sent over 10 digits of her credit card number, its expiry date and card type, and her zip code.
“An organization she had never heard of, and never interacted with, had some of the most sensitive data about her,” Pavur said. “GDPR provided a pretext for anyone in the world to collect that information.”
Pavur suggested that the solution to this issue has to come from both legislators and companies.
On one side, lawmakers need to regulate and establish a legitimate standard of ID proof for GDPR requests. And companies should refrain from sending information when unable to properly verify IDs, at the cost of ending up in court.