Author: Elliott Thompson, SureCloud Senior Cybersecurity Consultant, Speaker at DEFCON 2019
August in Las Vegas is an exciting time, particularly for hackers. That’s because it plays host to two of the most prominent events in the cybersecurity calendar – Black Hat USA and DEF CON. Both events throw up some interesting announcements and angles on cybersecurity issues, and one story from this year’s Black Hat caught our attention.
At this year’s event, University of Oxford DPhil student, James Pavur revealed how he used the principles of GDPR to steal his fiancée’s data. He claimed to be using the data privacy regulation against itself – but is that really the full story? Let’s take a closer look.
First, let’s consider what Pavur claims to have done. His focus was on the Rights of Access provision in the GDPR, which empowers European citizens to request all of the data held on them by a particular provider. Many journalists and amateur investigators have already tried similar processes, requesting, for example, all of the data held on them by the dating app Tinder.
Pavur, then, sent off data subject access requests (DSARs) in his fiancée’s name to over 150 separate organizations to see what the results were. The results were varied. 13% of organizations ignored the request outright, presumably finding Pavur’s claim of his fiancée’s identity unconvincing. 39% of the requests were ultimately denied, with the organizations in question requesting stronger proof of ‘Pavur’s’ identity than just the email address and phone number he provided.
However, 24% of the organizations that Pavur contacted handed over the information they held on his fiancée with only an email address and phone number accepted as proof of ‘her’ identity. Another 16% requested easily forged identity information as a next step.
Pavur’s claim, then, is that this same mechanism could easily be deployed by bad actors seeking to steal individuals’ identities for a wide range of fraudulent and criminal activities. In other words, the GDPR provides an effective ‘cover story’ for individuals seeking to harvest personal data from companies – data which they may then use for nefarious ends.
Digging into the details of Pavur’s experiment does suggest that the claim that GDPR can help malicious cybercriminals to steal people’s identities is certainly feasible. Especially considering the rate of success despite the self-imposed limitations on not creating forgeries of documents or submitting to telephone interviews.
The introduction of the GDPR was a significant step forward in terms of not only encouraging better security and compliance practices, but also in raising both corporate and individual awareness of data protection issues. GDPR may not be perfect, but overall, it’s a step in the right direction.
In summary, Pavur’s experiment underlines how weak business processes can be leveraged through social engineering, to easily trick organizations into making errors which put sensitive data dramatically at risk – and it is clear that the data subject access requests (DSARs) enabled by the GDPR, introduce a new business process that must exist throughout various organisations. While businesses are still cutting their teeth on building these processes, there is room for cybercriminals to extract sensitive data.
The onus for organizations, as ever, is to ensure robust processes are in place to avoid falling victim to such social engineering. These should include educating staff in a dynamic and ongoing way, and putting in place appropriate checks and balances to ensure that DSARs are genuine. Managing DSARs, as well as the right to erasure requests, through a centralised portal, for example, can help ensure a consistent and risk-centric approach to approval or refusal.