Researcher exploits GDPR rules to uncover partner's data

Experiment reveals many companies are failing to use even basic verification checks

A researcher has revealed how he was able to exploit GDPR data requests and dupe companies into handing over information belonging to his partner by using a fake email address.

Roughly one in four of the targeted firms revealed the women's personal details, including in one instance the results of a historic criminal background check.

Advertisement - Article continues below

University of Oxford researcher James Pavur said he was able to obtain highly sensitive data such as user names and passwords, addresses and a social security number by providing only limited information.

Under the GDPR's 'Right to Access' companies have one month to respond to a request or face investigation by data regulators. The findings from Pavur's test reveal that many firms are struggling to implement security checks on data requests due to the time limit - or in some cases, are failing to enforce or follow up on basic verification practices.

With his girlfriend's consent, Pavur devised a simple experiment, sending out 75 'Right of Access' requests in her name, asking for all and any data held on her. He started with the little details at first, which he called the "low hanging fruit", such as her full name, a couple of email addresses and phone numbers. He then used this information to conduct a second wave of 75 further requests.

Within two months, Pavur was able to get his fiance's social security number, date of birth, her mother's maiden name, passwords, previous home addresses, travel and hotel logs, her high school grades, partial credit card numbers and even information about online dating.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"That's a huge amount of information that I was able to get just knowing her email address and her phone number," said Pavur, presenting his findings at Black Hat 2019 this week, as reported by Vice. "Very sensitive stuff that she's never told me, and probably never told anyone."

In all, 72% of companies replied back, with 83 firms saying it had information on her. Of those responses, 24% simply accepted an email address and phone number as proof of identity and handed over requested data.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC. "Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

Companies that came out well from the test included Tesco, American Airlines and Bed Bath and Beyond, but Pavur didn't name the ones that had failed, giving vague examples such as a hotel chain, two rail companies, both UK-based, and a US-based education company that gave out Knerr's high school grades.

Advertisement - Article continues below

The idea for the test came from a wager Pavur had made to his girlfriend after their flight was delayed at a Polish airport. The pair joked about exacting revenge on the airline by spamming it with GDPR requests. While they didn't act on that idea, the idea to test data requests stuck with them.

In one case, a gaming firm that Pavur left unnamed, asked for account login details as proof of identity, when he said he had forgotten the login, they sent him her information regardless.

"I do feel a bit concerned about how easy it was to get sensitive information on me," Knerr said, "though I'm hoping that with time and maybe more awareness companies improve their processes."

  • General Data Protection Regulation (GDPR)
Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020