The so-called “right of access” under GDPR, which allows consumers to find out what information is being held on them, is wide open to abuse, with some firms carelessly handing out other customers’ data without proper security checks.
That is the damning conclusion of an investigation carried out by University of Oxford cyber-security researcher James Pavur, who released his findings at the Black Hat conference in Las Vegas late last week.
During his probe, Pavur managed to get a hold of his fiancée’s sensitive information, including credit card information, travel details, account log-ins and passwords, full social security number, as well as the results of a criminal activity check.
Although Pavur declined to name and shame the offending companies, he did finger the sectors in which they are operating. It was a UK hotel chain that shared information on his fiancée’s overnight stays, two UK rail companies shared records of all the trips she had taken with them over many years, while an American educational company dished out high school grades, mother’s maiden name and the results of a criminal activity check.
However, Pavur did confirm those companies which blocked his attempt to gather personal data. UK supermarket giant Tesco demanded a photo ID, US retailer Bed Bath & Beyond insisted on a phone interview and American Airlines spotted that he had uploaded a blank image to the passport field of its online form.
Overall, Pavur contacted 83 firms which were known to hold data about his partner. Of those, 24% supplied personal data without verifying any identity; 16% requested an easily forged type of ID that he did not provide; 13% ignored the request altogether; 5% claimed they held no data, even though his fiancée had an account; and 3% misinterpreted the request and deleted all her data. Only 39% asked for a “strong” type of ID.
The report exposes a large chasm in data governance between big business and the rest. Pavur explained: “Generally if it was an extremely large company – especially tech ones – they tended to do really well. Small companies tended to ignore me. But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”
In the run-up to GDPR, there were dire warnings that the new regulation would trigger a tsunami of data requests as soon as the regulation came into force, raising fresh fears that many would struggle to cope. According to a poll of UK adults, commissioned by SAS, nearly half (48%) planned to activate new rights over their personal data.
However, so far the Metropolitan Police is the only organisation to have fallen foul of the UK Information Commissioner’s Office, after it emerged that the force had a backlog of over 1,700 requests for copies of data.
Although the ICO has only slapped the Met with enforcement notices, rather than a fine, the regulator did issue a warning to companies to ensure they comply with requests within the one month time-frame or face a serious kicking for being in breach of GDPR.
Met farce fuels data access request warning to brands
Spotify ad launch eclipsed by fresh GDPR investigation
Apple, Spotify, Google and Netflix face GDPR data probe
‘I don’t believe it’…young make most GDPR complaints
Fears grow as ‘millions plan to delete data under GDPR’
Firms face bombardment of data requests under GDPR
Google GDPR shortcomings leaving ad clients exposed