LAS VEGAS. A PhD researcher at Oxford University has discovered a seam in how companies are complying with the European Union’s General Data Protection Regulation, allowing him to assume the identity of his girlfriend and access her data often with little pushback from data controllers for hotels, educational services, retailers and others.
James Pavur used the GDPR’s “right of access” provision, requiring companies to reveal information they hold on citizens upon their request, to collect data including his girlfriend’s social security number, date of birth, credit card activity and even account passwords. Pavur detailed the experience in a white paper released here at Black Hat.
“Privacy laws have repeatedly exploitable vulnerabilities,” Pavur said, noting “four features that play into the hands” of would-be identity thieves.
Companies holding the data are afraid of fines for failing to comply with the “right of access” rule, he said. The regulation includes tight deadlines for responding to data requests. The ambitious scale of GDPR – applying to every EU citizen – “requires flexible language that social engineers can exploit”; and “the ambiguity in the law keeps humans in the loop,” who can be manipulated.
Pavur said he “targeted” the law’s “right to access” provision and identified 150 data privacy officers at various companies and wrote them requesting personal information under the assumed name and “using the tight deadline against them.” He created a fake email account and “dictated the terms of engagement” by saying how he wanted the data sent to him.
In terms of good or bad responses, he said, “the organization doesn’t matter. There was a lot of diversity in how the requests were handled,” but little consistency based on the type of entity.
Overall, 83 of 150 entities responded that they had the data of Pavur’s fiancée. “Forty percent asked for a form of ID I couldn’t provide, that’s the good news,” Pavur said. But 16 percent accepted “weak ID and 24 percent simply handed over the requested personally identifiable information.
Some U.S. companies responded that they were not covered by GDPR, which was “interesting” and probably incorrect, he observed. Others simply said no.
“But even when an organization said no” or demanded more authentication, “I could talk them down.”
That suggests privacy officers are not yet comfortable with the requirements of GDPR, which went into effect last year, or what’s expected of them under the law, he said.
Pavur said his experience should offer some advice to policy makers, including those in the U.S. working on privacy legislation and regulation. First up, he said, “don’t copy and paste the ‘right to access’ language from the GDPR.”
Companies receiving right-to-access requests should require some form of log-in, possibly outsource their e-verification process and “just say no” whenever suspicious of a request.
New legislation and rules should clarify what constitutes appropriate forms of ID, he said, adding, “privacy laws should enhance privacy, not endanger it.” – Charlie Mitchell (firstname.lastname@example.org)