About one in 4 corporations revealed personal info to a lady’s accomplice, who had made a bogus demand for the data by citing an EU privacy law.
The safety skilled contacted dozens of UK and US-based companies to check how they’d deal with a “right of access” request made in another person’s identify.
In every case, he requested for all of the data that they held on his fiancee.
In one case, the response included the outcomes of a felony exercise test.
Other replies included bank card info, journey particulars, account logins and passwords, and the goal’s full US social safety quantity.
University of Oxford-based researcher James Pavur has offered his findings on the Black Hat convention in Las Vegas.
It is the primary identified check of its sort to exploit the EU’s General Data Protection Regulation (GDPR), which got here into pressure in May 2018.
“Generally if it was an extremely large company – especially tech ones – they tended to do really well,” he advised the BBC.
“Small corporations tended to ignore me.
“But the type of mid-sized companies that knew about GDPR, however possibly did not have a lot of a specialised course of [to handle requests], failed.”
He declined to establish the organisations that had mishandled the requests, however stated that they had included:
- a UK lodge chain that shared a whole file of his accomplice’s in a single day stays
- two UK rail corporations that offered information of all of the journeys she had taken with them over a number of years
- a US-based instructional firm that handed over her highschool grades, mom’s maiden identify and the outcomes of a felony background test survey
Mr Pavur has, nevertheless, named a few of the corporations that he stated had carried out nicely.
He stated they included:
- the grocery store Tesco, which had demanded a photograph ID
- the home retail chain Bed Bath and Beyond, which had insisted on a phone interview
- American Airlines, which had noticed that he had uploaded a clean picture to the passport discipline of its on-line type
One impartial skilled stated the findings had been a “real concern”.
“Sending someone’s personal information to the wrong person is as much a data breach as leaving an unencrypted USB drive lying around, or forgetting to shred confidential papers,” stated Dr Steven Murdoch, from University College London.
Mr Pavur’s bride-to-be gave him permission to…