GDPArrrrr: Using Privacy Laws to Steal Identities
This highlights a critical privacy vulnerability in GDPR implementation that affects businesses and individuals, though it is incremental in exposing specific flaws rather than proposing a new solution.
The paper investigates how legal ambiguities in the GDPR's Right of Access can be exploited by attackers to steal sensitive information, finding that over 150 businesses often lack safeguards, exposing data like Social Security Numbers and passwords.
The General Data Protection Regulation (GDPR) has become a touchstone model for modern privacy law, in part because it empowers consumers with unprecedented control over the use of their personal information. However, this same power may be susceptible to abuse by malicious attackers. In this paper, we consider how legal ambiguity surrounding the "Right of Access" process may be abused by social engineers. This hypothesis is tested through an adversarial case study of more than 150 businesses. We find that many organizations fail to employ adequate safeguards against Right of Access abuse and thus risk exposing sensitive information to unauthorized third parties. This information varied in sensitivity from simple public records to Social Security Numbers and account passwords. These findings suggest a critical need to improve the implementation of the subject access request process. To this end, we propose possible remediations which may be appropriate for further consideration by government, industry and individuals.