University of Oxford-based researcher James Pavur contacted UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.
For the purposes of his investigation, he asked each of them for all the data that they held on his fiancée, citing the General Data Protection Regulation (GDPR).
He found that an astonishing one in four companies revealed personal information about his partner – even offering him up information about a criminal activity check.
This alone is hugely worrying and shows how some businesses simply do not know how to deal with Subject Access Requests (SAR’s).
Mr Pavur presented his findings at the Black Hat conference in Las Vegas. His fiancée gave him permission to carry out the tests and helped write up the findings but did not participate in the investigation.
The companies that he contacted also offered up information on his partner’s credit card details, travel info, account logins and passwords, and her full US social security number.
When GDPR was introduced last year, it shortened the time organisations had to respond to data requests, added new types of information they must provide, and increased the potential penalty for non-compliance.
Mr Pavur told the BBC: “Generally if it was an extremely large company – especially tech ones – they tended to do really well.”
“Small companies tended to ignore me.
“But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”
Although Mr Pavur wouldn’t disclose the identities of the companies he contacted who were happy to disclose information, they included: a UK hotel chain that shared a complete record of his partner’s overnight stays; two UK rail companies that provided records of all the journeys she had taken with them over several years and a US-based educational company that handed over her high school grades, mother’s maiden name and the results of a criminal background check survey.
He was happy to sing the praises of companies who didn’t just hand over the information and asked for checks, they included Tesco. The supermarket asked for a photo ID.
Company Bed Bath and Beyond insisted on a telephone interview and American Airlines noticed that he had uploaded a blank image to the passport field of its online form
Dr Steven Murdoch, from University College London told the BBC that the findings were a “real concern”.
“Sending someone’s personal information to the wrong person is as much a data breach as leaving an unencrypted USB drive lying around or forgetting to shred confidential papers.”
For the investigation, Mr Pavur created a fake email address for his partner, in the format “first name-middle firstname.lastname@example.org”. He also included and accompanying letter that clearly stated that under the terms of GDPR, the recipient had one month to respond.
The crucial part of his research was that his letter also stated that he could provide additional identity documents via a “secure online portal” if required.
He knew this would be the vital element since he believed many businesses lacked such a facility and would not have time to create one.
Using that basic information, he contacted the companies. But for the second batch, he drew on personal details revealed by the first group to answer follow-up questions.
The idea, he said, was to replicate the kind of attack that could be carried out by someone starting with just the details found on a basic LinkedIn page or other online public profile.
Mr Pavur said that a total of 60 distinct pieces of personal information about his girlfriend were ultimately exposed.
These included a list of past purchases, 10 digits of her credit card number, its expiry date and issuer, and her past and present addresses.
One company even provided a record of breached usernames and passwords it held on his partner. These still worked on at least 10 online services as she had used the same logins for multiple sites.
Of the 83 firms known to have held data about his partner, Mr Pavur said:
- 24% supplied personal information without verifying the requester’s identity
- 16% requested an easily forged type of ID that he did not provide
- 39% asked for a “strong” type of ID
- 5% said they had no data to share, even though the fiancée had an account controlled by them
- 3% misinterpreted the request and said they had deleted all her data
- 13% ignored the request altogether
This investigation shows serious problems within some organisations to grasp GDPR and what it means. Personal data will be at risk if companies continue to bury their heads in the sand.
It has been over a year since GDPR came into effect and it’s time that businesses of all sizes took notice of the changing landscape.