Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Data Privacy, GRC

Can GDPR ‘Help’ Hackers?

Can GDPR ‘Help’ Hackers?
Written by

Elliott Thompson

Published on

30 Oct 2019

Can GDPR ‘Help’ Hackers?

 
 

August in Las Vegas is an exciting time, particularly for hackers. That’s because it plays host to two of the most prominent events in the cybersecurity calendar – Black Hat USA and DEF CON. Both events throw up some interesting announcements and angles on cybersecurity issues, and one story from this year’s Black Hat caught our attention.

At this year’s event, University of Oxford DPhil student, James Pavur revealed how he used the principles of GDPR to steal his fiancée’s data. He claimed to be using the data privacy regulation against itself – but is that really the full story? Let’s take a closer look.

The details of the case

First, let’s consider what Pavur claims to have done. His focus was on the Rights of Access provision in the GDPR, which empowers European citizens to request all of the data held on them by a particular provider. Many journalists and amateur investigators have already tried similar processes, requesting, for example, all of the data held on them by the dating app Tinder.

Pavur, then, sent off data subject access requests (DSARs) in his fiancée’s name to over 150 separate organizations to see what the results were. The results were varied. 13% of organizations ignored the request outright, presumably finding Pavur’s claim of his fiancée’s identity unconvincing. 39% of the requests were ultimately denied, with the organizations in question requesting stronger proof of ‘Pavur’s’ identity than just the email address and phone number he provided.

However, 24% of the organizations that Pavur contacted handed over the information they held on his fiancée with only an email address and phone number accepted as proof of ‘her’ identity. Another 16% requested easily forged identity information as a next step.

Pavur’s claim, then, is that this same mechanism could easily be deployed by bad actors seeking to steal individuals’ identities for a wide range of fraudulent and criminal activities. In other words, the GDPR provides an effective ‘cover story’ for individuals seeking to harvest personal data from companies – data which they may then use for nefarious ends.

Digging into the details of Pavur’s experiment does suggest that the claim that GDPR can help malicious cybercriminals to steal people’s identities is certainly feasible. Especially considering the rate of success despite the self-imposed limitations on not creating forgeries of documents or submitting to telephone interviews.

What can we learn?

The introduction of the GDPR was a significant step forward in terms of not only encouraging better security and compliance practices, but also in raising both corporate and individual awareness of data protection issues. GDPR may not be perfect, but overall, it’s a step in the right direction.

In summary, Pavur’s experiment underlines how weak business processes can be leveraged through social engineering, to easily trick organizations into making errors which put sensitive data dramatically at risk – and it is clear that the data subject access requests (DSARs) enabled by the GDPR, introduce a new business process that must exist throughout various organisations. While businesses are still cutting their teeth on building these processes, there is room for cybercriminals to extract sensitive data.

The onus for organizations, as ever, is to ensure robust processes are in place to avoid falling victim to such social engineering. These should include educating staff in a dynamic and ongoing way, and putting in place appropriate checks and balances to ensure that DSARs are genuine. Managing DSARs, as well as the right to erasure requests, through a centralised portal, for example, can help ensure a consistent and risk-centric approach to approval or refusal.

Register for the upcoming DEF CON webinar here.