Turning the EU’s data protection regulation against itself
Anyone who thought that GDPR would help solve EU residents’ data privacy woes may want to think again, as new research shows just how easy it is for a malicious actor to turn the regulation against itself in order to scoop up sensitive information.
It’s been just over a year since the General Data Protection Regulation (GDPR) was introduced in the EU – landmark legislation that lays out strong ground rules for any organization that’s entrusted with European citizens’ data.
However, it’s clear that the regulation is far from bulletproof, as James Pavur – a DPhil student at Oxford University’s Cybersecurity Center for Doctoral Training – discovered how the legislation’s ‘right of access’ clause can be leveraged to compel organizations to serve up the personally identifiable information of their customers.
Presenting his research at Black Hat USA in Las Vegas earlier today, Pavur pulled focus on GDPR’s ‘right of access’ clause, which stipulates that individuals have the right to request a copy of all the information a company holds on them.
James Pavur at Black Hat 2019
In the amusingly-titled ‘GDPArrrrr: Using Privacy Laws to Steal Identities’, the researcher explained how he assumed the identity of his fiancée (with her knowledge and permission) and sent out emails to 150 companies, requesting access to the data that they held on her.
When asked to prove his (or, rather, her) identity, Pavur used only information that had been gathered using open source intelligence techniques (such as full name, email addresses, and phone number).
The results were interesting, to say the least.
Of the 150 organizations that were targeted, just 75% responded to his data access request – the remaining 25% automatically putting themselves at risk of contravening GDPR laws.
However, far more worrying was that a whopping one-in-four organizations took the knowledge of an email address as proof of user identity, before sending across a wealth of personally identifiable information.
At the highest level of sensitivity, companies served up a trove of data, including Social Security number, date of birth, high school grades, and mother’s maiden name, Pavur said.
Weaponizing the right of access process
The researcher noted that his success rate was likely improved due to his refusal to send across any proof of identity via email.
This, he said, put added time pressure on organizations that had no secure communications channel, effectively strong-arming them into accepting a weaker form of identification.
“For me, this attack took a matter of minutes to run,” Pavur explained. “But for organizations it was days, if not weeks of work to issue their responses. There’s a huge disproportionate advantage for an attacker.”
He added: “The worst response was from three or four companies who saw the word ‘GDPR’, saw my fiancée’s name, and immediately deleted her account.
“Denial of service via GDPR was an unintended consequence.”
A white paper outlining Pavur’s research is now available (PDF).