GDPR's unintended consequences (The Register)

  • Thread starter anorlunda
  • Start date

anorlunda

Mentor
Insights Author
Gold Member
7,302
4,078
Summary
GDPR's unintended consequences
I would like to share this because GDPR has been discussed before on PF.

Some parties, like my bank, use multi-factor identification to assure I am who I say I am when I request personal data. But many third parties who are required to respond to GDPR requests will not have the data needed to support multi-factor identification.

Rejecting all requests is illegal. Allowing all requests (see below) is harmful to the public and probably leave the info provider liable to lawsuits. What are they supposed to do? Who are they supposed to ask what they are supposed to do?


The Risks List [URL]http://catless.ncl.ac.uk/Risks/31/36#subj5[/URL] said:
Steven Klein <steven@klein.us>Fri, 9 Aug 2019 13:33:14 -0400GDPR, the EU's General Data Protection Regulation, is supposed to protect
personal data and user privacy for EU cititzens. But it has made it life
much easier for identity thieves. The law obligates companies to provide a
copy of any personal data they have, but doesn't require companies to verify
the identity of those requesting the info.

“James Paver, a PhD student at Oxford University who usually specialises in
satellite hacking, explained how he was able to game the GDPR system to get
all kinds of useful information on his fiancée [with her permission],
including credit card and social security numbers, passwords, and even her
mother's maiden name. [...] Over the space of two months Pavur sent out 150
GDPR requests in his fiancée's name, asking for all and any data on her. In
all, 72 per cent of companies replied back, and 83 companies said that they
had information on her. ... Of the responses, 24 per cent simply accepted
an email address and phone number as proof of identity and sent over any
files they had on his fiancée.''

“A threat-intelligence company sent over a list of her email addresses and
passwords which had already been compromised in attacks. Several of these
still worked on some accounts.''

Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>
 

Pythagorean

Gold Member
4,132
251
GDPR and similar legislation designed to protect people's privacy will have negative implications for security solutions that use the same data to protect people. Both cybercriminals and security practitioners will both have to adapt as they always have. With such complex technology that changes so quickly, it's an arms race.
 

Want to reply to this thread?

"GDPR's unintended consequences (The Register)" You must log in or register to reply here.

Related Threads for: GDPR's unintended consequences (The Register)

Replies
16
Views
1K
Replies
1
Views
2K
  • Posted
Replies
2
Views
1K
Replies
8
Views
940
  • Posted
Replies
1
Views
2K
Replies
11
Views
2K
  • Posted
Replies
4
Views
2K
  • Posted
Replies
2
Views
2K

Physics Forums Values

We Value Quality
• Topics based on mainstream science
• Proper English grammar and spelling
We Value Civility
• Positive and compassionate attitudes
• Patience while debating
We Value Productivity
• Disciplined to remain on-topic
• Recognition of own weaknesses
• Solo and co-op problem solving
Top