Researcher exploits GDPR rules to uncover partner's data

Experiment reveals many companies are failing to use even basic verification checks

A researcher has revealed how he was able to exploit GDPR data requests and dupe companies into handing over information belonging to his partner by using a fake email address.

Roughly one in four of the targeted firms revealed the women's personal details, including in one instance the results of a historic criminal background check.

University of Oxford researcher James Pavur said he was able to obtain highly sensitive data such as user names and passwords, addresses and a social security number by providing only limited information.

Under the GDPR's 'Right to Access' companies have one month to respond to a request or face investigation by data regulators. The findings from Pavur's test reveal that many firms are struggling to implement security checks on data requests due to the time limit - or in some cases, are failing to enforce or follow up on basic verification practices.

With his girlfriend's consent, Pavur devised a simple experiment, sending out 75 'Right of Access' requests in her name, asking for all and any data held on her. He started with the little details at first, which he called the "low hanging fruit", such as her full name, a couple of email addresses and phone numbers. He then used this information to conduct a second wave of 75 further requests.

Within two months, Pavur was able to get his fiance's social security number, date of birth, her mother's maiden name, passwords, previous home addresses, travel and hotel logs, her high school grades, partial credit card numbers and even information about online dating.

"That's a huge amount of information that I was able to get just knowing her email address and her phone number," said Pavur, presenting his findings at Black Hat 2019 this week, as reported by Vice. "Very sensitive stuff that she's never told me, and probably never told anyone."

In all, 72% of companies replied back, with 83 firms saying it had information on her. Of those responses, 24% simply accepted an email address and phone number as proof of identity and handed over requested data.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC. "Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

Companies that came out well from the test included Tesco, American Airlines and Bed Bath and Beyond, but Pavur didn't name the ones that had failed, giving vague examples such as a hotel chain, two rail companies, both UK-based, and a US-based education company that gave out Knerr's high school grades.

The idea for the test came from a wager Pavur had made to his girlfriend after their flight was delayed at a Polish airport. The pair joked about exacting revenge on the airline by spamming it with GDPR requests. While they didn't act on that idea, the idea to test data requests stuck with them.

In one case, a gaming firm that Pavur left unnamed, asked for account login details as proof of identity, when he said he had forgotten the login, they sent him her information regardless.

"I do feel a bit concerned about how easy it was to get sensitive information on me," Knerr said, "though I'm hoping that with time and maybe more awareness companies improve their processes."

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020