Researcher exploits GDPR rules to uncover partner's data

Experiment reveals many companies are failing to use even basic verification checks

A researcher has revealed how he was able to exploit GDPR data requests and dupe companies into handing over information belonging to his partner by using a fake email address.

Roughly one in four of the targeted firms revealed the women's personal details, including in one instance the results of a historic criminal background check.

University of Oxford researcher James Pavur said he was able to obtain highly sensitive data such as user names and passwords, addresses and a social security number by providing only limited information.

Under the GDPR's 'Right to Access' companies have one month to respond to a request or face investigation by data regulators. The findings from Pavur's test reveal that many firms are struggling to implement security checks on data requests due to the time limit - or in some cases, are failing to enforce or follow up on basic verification practices.

Advertisement
Advertisement - Article continues below

With his girlfriend's consent, Pavur devised a simple experiment, sending out 75 'Right of Access' requests in her name, asking for all and any data held on her. He started with the little details at first, which he called the "low hanging fruit", such as her full name, a couple of email addresses and phone numbers. He then used this information to conduct a second wave of 75 further requests.

Within two months, Pavur was able to get his fiance's social security number, date of birth, her mother's maiden name, passwords, previous home addresses, travel and hotel logs, her high school grades, partial credit card numbers and even information about online dating.

"That's a huge amount of information that I was able to get just knowing her email address and her phone number," said Pavur, presenting his findings at Black Hat 2019 this week, as reported by Vice. "Very sensitive stuff that she's never told me, and probably never told anyone."

In all, 72% of companies replied back, with 83 firms saying it had information on her. Of those responses, 24% simply accepted an email address and phone number as proof of identity and handed over requested data.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC. "Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

Companies that came out well from the test included Tesco, American Airlines and Bed Bath and Beyond, but Pavur didn't name the ones that had failed, giving vague examples such as a hotel chain, two rail companies, both UK-based, and a US-based education company that gave out Knerr's high school grades.

The idea for the test came from a wager Pavur had made to his girlfriend after their flight was delayed at a Polish airport. The pair joked about exacting revenge on the airline by spamming it with GDPR requests. While they didn't act on that idea, the idea to test data requests stuck with them.

In one case, a gaming firm that Pavur left unnamed, asked for account login details as proof of identity, when he said he had forgotten the login, they sent him her information regardless.

"I do feel a bit concerned about how easy it was to get sensitive information on me," Knerr said, "though I'm hoping that with time and maybe more awareness companies improve their processes."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019