About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.
The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.
In each case, he asked for all the data that they held on his fiancee.
In one case, the response included the results of a criminal activity check.
Other replies included credit card information, travel details, account logins and passwords, and the target’s full US social security number.
University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.
It’s pretty fucked up:
Mr Pavur’s bride-to-be gave him permission to carry out the tests and helped write up the findings, but otherwise did not participate in the operation.
So for correspondence, the researcher created a fake email address for his partner, in the format “first name-middle initial-last email@example.com”.
An accompanying letter said that under GDPR, the recipient had one month to respond.
It added that he could provide additional identity documents via a “secure online portal” if required. This was a deliberate deception since he believed many businesses lacked such a facility and would not have time to create one.
The attacks were carried out in two waves.
For the first half of those contacted, he used only the information detailed above. But for the second batch, he drew on personal details revealed by the first group to answer follow-up questions.
The idea, he said, was to replicate the kind of attack that could be carried out by someone starting with just the details found on a basic LinkedIn page or other online public profile.
So basically… don’t interact with companies.