GDPR's unintended consequences (The Register)

  • Thread starter Thread starter anorlunda
  • Start date Start date
Click For Summary
SUMMARY

The General Data Protection Regulation (GDPR) has inadvertently facilitated identity theft by failing to require companies to verify the identity of individuals requesting personal data. Steven Klein highlights a case where James Paver exploited this loophole by submitting 150 GDPR requests in his fiancée's name, resulting in a 72% response rate from companies, many of which accepted minimal identity verification. This situation poses legal risks for companies that reject requests and raises concerns about the implications for both cybercriminals and security practitioners navigating this evolving landscape.

PREREQUISITES
  • Understanding of GDPR compliance requirements
  • Knowledge of identity verification processes
  • Familiarity with data protection laws in the EU
  • Awareness of cybersecurity threats and identity theft tactics
NEXT STEPS
  • Research GDPR compliance strategies for businesses
  • Explore identity verification technologies and best practices
  • Investigate the implications of GDPR on cybersecurity measures
  • Learn about the legal responsibilities of companies under GDPR
USEFUL FOR

Data protection officers, compliance managers, cybersecurity professionals, and anyone involved in GDPR implementation and identity verification processes.

anorlunda
Staff Emeritus
Science Advisor
Homework Helper
Insights Author
Messages
11,326
Reaction score
8,755
TL;DR
GDPR's unintended consequences
I would like to share this because GDPR has been discussed before on PF.

Some parties, like my bank, use multi-factor identification to assure I am who I say I am when I request personal data. But many third parties who are required to respond to GDPR requests will not have the data needed to support multi-factor identification.

Rejecting all requests is illegal. Allowing all requests (see below) is harmful to the public and probably leave the info provider liable to lawsuits. What are they supposed to do? Who are they supposed to ask what they are supposed to do?
The Risks List [URL]http://catless.ncl.ac.uk/Risks/31/36#subj5[/URL] said:
Steven Klein <steven@klein.us>Fri, 9 Aug 2019 13:33:14 -0400GDPR, the EU's General Data Protection Regulation, is supposed to protect
personal data and user privacy for EU cititzens. But it has made it life
much easier for identity thieves. The law obligates companies to provide a
copy of any personal data they have, but doesn't require companies to verify
the identity of those requesting the info.

“James Paver, a PhD student at Oxford University who usually specialises in
satellite hacking, explained how he was able to game the GDPR system to get
all kinds of useful information on his fiancée [with her permission],
including credit card and social security numbers, passwords, and even her
mother's maiden name. [...] Over the space of two months Pavur sent out 150
GDPR requests in his fiancée's name, asking for all and any data on her. In
all, 72 per cent of companies replied back, and 83 companies said that they
had information on her. ... Of the responses, 24 per cent simply accepted
an email address and phone number as proof of identity and sent over any
files they had on his fiancée.''

“A threat-intelligence company sent over a list of her email addresses and
passwords which had already been compromised in attacks. Several of these
still worked on some accounts.''

Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>
 
  • Like
Likes   Reactions: aaroman and Wrichik Basu
Computer science news on Phys.org
GDPR and similar legislation designed to protect people's privacy will have negative implications for security solutions that use the same data to protect people. Both cybercriminals and security practitioners will both have to adapt as they always have. With such complex technology that changes so quickly, it's an arms race.
 

Similar threads

Internet fraud and other tech problems
  • · Replies 16 ·
Replies
16
Views
3K
Graduate BRS: PKI Cryptosystems for SA/Ms: A Tutorial
  • · Replies 13 ·
Replies
13
Views
4K
News Bush Honest & Trustworthy Until How Many Lies?
  • · Replies 65 ·
3
Replies
65
Views
12K
ECONOMICS: It's stupid to be afraid (Lee Kuan Yew to Der Spiegel)
  • · Replies 6 ·
Replies
6
Views
5K
News Downing Street - New memos released
  • · Replies 2 ·
Replies
2
Views
3K