Researcher exploits GDPR rules to uncover partner's data

Experiment reveals many companies are failing to use even basic verification checks

A researcher has revealed how he was able to exploit GDPR data requests and dupe companies into handing over information belonging to his partner by using a fake email address.

Roughly one in four of the targeted firms revealed the women's personal details, including in one instance the results of a historic criminal background check.

University of Oxford researcher James Pavur said he was able to obtain highly sensitive data such as user names and passwords, addresses and a social security number by providing only limited information.

Under the GDPR's 'Right to Access' companies have one month to respond to a request or face investigation by data regulators. The findings from Pavur's test reveal that many firms are struggling to implement security checks on data requests due to the time limit - or in some cases, are failing to enforce or follow up on basic verification practices.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

With his girlfriend's consent, Pavur devised a simple experiment, sending out 75 'Right of Access' requests in her name, asking for all and any data held on her. He started with the little details at first, which he called the "low hanging fruit", such as her full name, a couple of email addresses and phone numbers. He then used this information to conduct a second wave of 75 further requests.

Within two months, Pavur was able to get his fiance's social security number, date of birth, her mother's maiden name, passwords, previous home addresses, travel and hotel logs, her high school grades, partial credit card numbers and even information about online dating.

"That's a huge amount of information that I was able to get just knowing her email address and her phone number," said Pavur, presenting his findings at Black Hat 2019 this week, as reported by Vice. "Very sensitive stuff that she's never told me, and probably never told anyone."

In all, 72% of companies replied back, with 83 firms saying it had information on her. Of those responses, 24% simply accepted an email address and phone number as proof of identity and handed over requested data.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC. "Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

Advertisement - Article continues below

Companies that came out well from the test included Tesco, American Airlines and Bed Bath and Beyond, but Pavur didn't name the ones that had failed, giving vague examples such as a hotel chain, two rail companies, both UK-based, and a US-based education company that gave out Knerr's high school grades.

The idea for the test came from a wager Pavur had made to his girlfriend after their flight was delayed at a Polish airport. The pair joked about exacting revenge on the airline by spamming it with GDPR requests. While they didn't act on that idea, the idea to test data requests stuck with them.

In one case, a gaming firm that Pavur left unnamed, asked for account login details as proof of identity, when he said he had forgotten the login, they sent him her information regardless.

"I do feel a bit concerned about how easy it was to get sensitive information on me," Knerr said, "though I'm hoping that with time and maybe more awareness companies improve their processes."

  • General Data Protection Regulation (GDPR)
Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020