Researcher exploits GDPR rules to uncover partner's data

Experiment reveals many companies are failing to use even basic verification checks

A researcher has revealed how he was able to exploit GDPR data requests and dupe companies into handing over information belonging to his partner by using a fake email address.

Roughly one in four of the targeted firms revealed the women's personal details, including in one instance the results of a historic criminal background check.

Advertisement - Article continues below

University of Oxford researcher James Pavur said he was able to obtain highly sensitive data such as user names and passwords, addresses and a social security number by providing only limited information.

Under the GDPR's 'Right to Access' companies have one month to respond to a request or face investigation by data regulators. The findings from Pavur's test reveal that many firms are struggling to implement security checks on data requests due to the time limit - or in some cases, are failing to enforce or follow up on basic verification practices.

With his girlfriend's consent, Pavur devised a simple experiment, sending out 75 'Right of Access' requests in her name, asking for all and any data held on her. He started with the little details at first, which he called the "low hanging fruit", such as her full name, a couple of email addresses and phone numbers. He then used this information to conduct a second wave of 75 further requests.

Within two months, Pavur was able to get his fiance's social security number, date of birth, her mother's maiden name, passwords, previous home addresses, travel and hotel logs, her high school grades, partial credit card numbers and even information about online dating.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"That's a huge amount of information that I was able to get just knowing her email address and her phone number," said Pavur, presenting his findings at Black Hat 2019 this week, as reported by Vice. "Very sensitive stuff that she's never told me, and probably never told anyone."

In all, 72% of companies replied back, with 83 firms saying it had information on her. Of those responses, 24% simply accepted an email address and phone number as proof of identity and handed over requested data.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC. "Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

Companies that came out well from the test included Tesco, American Airlines and Bed Bath and Beyond, but Pavur didn't name the ones that had failed, giving vague examples such as a hotel chain, two rail companies, both UK-based, and a US-based education company that gave out Knerr's high school grades.

Advertisement - Article continues below

The idea for the test came from a wager Pavur had made to his girlfriend after their flight was delayed at a Polish airport. The pair joked about exacting revenge on the airline by spamming it with GDPR requests. While they didn't act on that idea, the idea to test data requests stuck with them.

In one case, a gaming firm that Pavur left unnamed, asked for account login details as proof of identity, when he said he had forgotten the login, they sent him her information regardless.

"I do feel a bit concerned about how easy it was to get sensitive information on me," Knerr said, "though I'm hoping that with time and maybe more awareness companies improve their processes."

  • General Data Protection Regulation (GDPR)
Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020