- #1
- 11,308
- 8,737
- TL;DR Summary
- GDPR's unintended consequences
I would like to share this because GDPR has been discussed before on PF.
Some parties, like my bank, use multi-factor identification to assure I am who I say I am when I request personal data. But many third parties who are required to respond to GDPR requests will not have the data needed to support multi-factor identification.
Rejecting all requests is illegal. Allowing all requests (see below) is harmful to the public and probably leave the info provider liable to lawsuits. What are they supposed to do? Who are they supposed to ask what they are supposed to do?
Some parties, like my bank, use multi-factor identification to assure I am who I say I am when I request personal data. But many third parties who are required to respond to GDPR requests will not have the data needed to support multi-factor identification.
Rejecting all requests is illegal. Allowing all requests (see below) is harmful to the public and probably leave the info provider liable to lawsuits. What are they supposed to do? Who are they supposed to ask what they are supposed to do?
The Risks List [URL]http://catless.ncl.ac.uk/Risks/31/36#subj5[/URL] said:Steven Klein <steven@klein.us>Fri, 9 Aug 2019 13:33:14 -0400GDPR, the EU's General Data Protection Regulation, is supposed to protect
personal data and user privacy for EU cititzens. But it has made it life
much easier for identity thieves. The law obligates companies to provide a
copy of any personal data they have, but doesn't require companies to verify
the identity of those requesting the info.
“James Paver, a PhD student at Oxford University who usually specialises in
satellite hacking, explained how he was able to game the GDPR system to get
all kinds of useful information on his fiancée [with her permission],
including credit card and social security numbers, passwords, and even her
mother's maiden name. [...] Over the space of two months Pavur sent out 150
GDPR requests in his fiancée's name, asking for all and any data on her. In
all, 72 per cent of companies replied back, and 83 companies said that they
had information on her. ... Of the responses, 24 per cent simply accepted
an email address and phone number as proof of identity and sent over any
files they had on his fiancée.''
“A threat-intelligence company sent over a list of her email addresses and
passwords which had already been compromised in attacks. Several of these
still worked on some accounts.''
Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>