Privacy law exploited to reveal fiancee’s data

Tags: #<Tag:0x00007f7368fc5480>

About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target’s full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It’s pretty fucked up:

Mr Pavur’s bride-to-be gave him permission to carry out the tests and helped write up the findings, but otherwise did not participate in the operation.

So for correspondence, the researcher created a fake email address for his partner, in the format “first name-middle initial-last”.

An accompanying letter said that under GDPR, the recipient had one month to respond.

It added that he could provide additional identity documents via a “secure online portal” if required. This was a deliberate deception since he believed many businesses lacked such a facility and would not have time to create one.

The attacks were carried out in two waves.

For the first half of those contacted, he used only the information detailed above. But for the second batch, he drew on personal details revealed by the first group to answer follow-up questions.

The idea, he said, was to replicate the kind of attack that could be carried out by someone starting with just the details found on a basic LinkedIn page or other online public profile.

So basically… don’t interact with companies. :roll_eyes:

1 Like

Mr Pavur said that a total of 60 distinct pieces of personal information about his girlfriend were ultimately exposed.

These included a list of past purchases, 10 digits of her credit card number, its expiry date and issuer, and her past and present addresses.

In addition, one threat intelligence firm provided a record of breached usernames and passwords it held on his partner. These still worked on at least 10 online services as she had used the same logins for multiple sites.

In one case, the GDPR request letter was posted to the internet after being sent to an advertising company, constituting a data breach in itself. It contained the fiancee’s name, address, email and phone number.

“Luckily it only had very simple data,” said Mr Pavur.

“But you could imagine someone sending a letter with more detailed information.”

Overall, of the 83 firms known to have held data about his partner, Mr Pavur said:

  • 24% supplied personal information without verifying the requester’s identity
  • 16% requested an easily forged type of ID that he did not provide
  • 39% asked for a “strong” type of ID
  • 5% said they had no data to share, even though the fiancee had an account controlled by them
  • 3% misinterpreted the request and said they had deleted all her data
  • 13% ignored the request altogether

Emphasis mine… ahem: hahahahahahahaha!