Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data

Black Hat When Europe introduced the General Data Protection Regulation (GDPR) it was supposed to be a major step forward in data safety, but sloppy implementation and a little social engineering can make it heaven for identity thieves.

In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée, including credit card and social security numbers, passwords, and even her mother's maiden name.

"Privacy laws, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them."

Pavur's research started in an unlikely place - the departure lounge of a Polish airport. After the flight he and his fiancée were supposed to travel on was delayed, they joked about spamming the airline with GDPR requests to get revenge. They didn't, but it sparked an idea to see what information you could get on other people and Pavur's partner agreed to act as a guinea pig for the experiment.

For social engineering purposes, GDPR has a number of real benefits, Pavur said. Firstly, companies only have a month to reply to requests and face fines of up to 4 per cent of revenues if they don't comply, so fear of failure and time are strong motivating factors.

In addition, the type of people who handle GDPR requests are usually admin or legal staff, not security people used to social engineering tactics. This makes information gathering much easier.

Over the space of two months Pavur sent out 150 GDPR requests in his fiancée's name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they had information on her.

Interestingly, five per cent of responses, mainly from large US companies, said that they weren’t liable to GDPR rules. They may be in for a rude shock if they have a meaningful presence in the EU and come before the courts.

Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fiancée. A further 16 per cent requested easily forged ID information and 3 per cent took the rather extreme step of simply deleting her accounts.

A lot of companies asked for her account login details as proof of identity, which is actually a pretty good idea, Pavur opined. But when one gaming company tried it, he simply said he'd forgotten the login and they sent it anyway.

The range of information the companies sent in is disturbing. An educational software company sent Pavur his fiancée's social security number, date of birth and her mother's maiden name. Another firm sent over 10 digits of her credit card number, the expiration date, card type and her postcode.

A threat intelligence company - not Have I been Pwned - sent over a list of her email addresses and passwords which had already been compromised in attacks. Several of these still worked on some accounts - Pavur said he has now set her up with a password manager to avoid repetition of this.

"An organisation she had never heard of, and never interacted with, had some of the most sensitive data about her," he said. "GDPR provided a pretext for anyone in the world to collect that information."

Fixing this issue is going to take action from both legislators and companies, Pavur said.

First off, lawmakers need to set a standard for what is a legitimate form of ID for GDPR requests. One rail company was happy to send out personal information, accepting a used envelope addressed to the fiancée as proof of identity.

He suggested requesting account login details were a good idea, but there's always the possibility that such accounts have been pwned. A driver's licence would also be a good alternative, although fake IDs are rife.

Companies should be prepared to refuse information requests unless proper proof is required, he suggested. It may come to a court case, but being seen to protect the data of customers would be no bad thing. ®