The GDPR Is A Wide Open Vulnerability For Identity Fraud And Scams

from the how-does-this-help-privacy-again? dept

We've spent the last year and a half or so pointing out that, while it may have been well-intentioned, there are all sorts of consequences -- whether intended or not -- to the EU's General Data Protection Regulation (GDPR), including giving more power to the giant internet companies (when many argued the GDPR was necessary to curb their power), censorship of media, and a way for the rich and famous to harass people. But, of course, some might argue that those are worthy trade-offs if it did a better job protecting people's privacy.

About that... Last year, we pointed out that one consequence of the GDPR was that, in making it easy to "download" your data, it could open up serious privacy consequences for anyone who has their accounts hacked. In that story, we talked about someone having their Spotify account hacked, and having all the data downloaded -- a situation that might not be that impactful. However, last week, at Black Hat, James Pavur, a PhD student at Oxford, explained how he exploited the GDPR to access a ton of private info about his fiancee.

In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée, including credit card and social security numbers, passwords, and even her mother's maiden name.

"Privacy laws, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them."

In other words, in giving more "protection" over data, the EU has also opened up a new vulnerability. Here's how it worked:

Over the space of two months Pavur sent out 150 GDPR requests in his fiancée's name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they had information on her.

Interestingly, five per cent of responses, mainly from large US companies, said that they weren’t liable to GDPR rules. They may be in for a rude shock if they have a meaningful presence in the EU and come before the courts.

Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fiancée. A further 16 per cent requested easily forged ID information and 3 per cent took the rather extreme step of simply deleting her accounts.

That last one is kind of fascinating. What companies delete the accounts of people making a GDPR request? At least some of the companies required login info, but Pavur noted that in one case, he told the company he'd forgotten the login... and they gave him the data anyway.

"An organisation she had never heard of, and never interacted with, had some of the most sensitive data about her," he said. "GDPR provided a pretext for anyone in the world to collect that information."

This could be fixed, and one could argue that companies handing out this info without real proof of ID are, themselves, in violation of the GDPR. But, given that the GDPR is so strict -- you have a very short time frame to return the info or face massive fines), the incentive structure is designed to ignore those formalities and just fork over the information -- even if it's right into the hands of a scammer.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data, downloads, fraud, gdpr, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 17 Aug 2019 @ 12:16pm

    of course it isn't! just ask the pricks who voted it in! those who just happen to be given immunity from it, like everything else that 'only affects ordinary people'!!


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.