Steven Murdoch

---

GDPR is intended to protect personal data, but this experiment used The Law to help you achieve The Opposite effect

About a quarter of the companies disclosed the personal information of a woman, the partner, the had law a bill-demand for the data, citing an EU data protection.

The security expert contacted by dozens of U.S.-and UK-based companies to test how you would handle a "right to access" request in behalf of another.

In any case, he asked for all the data you instead of his fiancée.

to check In a case of containing the answer, the results of a criminal activity.

Other answers, including credit card information, travel information, account logins and passwords, and the goal of the full US Social Security number.

University of Oxford-based researcher James Pavur has presented his findings at The Black hat conference in Las Vegas.

It is one of The First tests of its kind, is to be exploited, which entered into force in may 2018. The Law shortens the time, the organizations had to respond to data requests, added new types of information to deliver the one you have, and increases the potential penalty for non-compliance.

"in General, it was a very large Company - especially tech ones - tended to make really good," he told the BBC.

"Small businesses tend to ignore me.

"But the nature and medium-sized companies, knew of the GDPR, but maybe not much of a specialized process [requests], failed. "

He declined to identify which organisations they had dealt with the requirements, but said they had been included in the scope of delivery:

Mr. Pavur has, however, named some of the companies, said he had been Well spent.

Mr. Pavur says he believes he did not break The Law , during the conduct of the study

He said they included:

An independent expert said the results were a "real concern".

"Send someone's personal information to the wrong person, to the extent that a breach of data protection as the leaving of a non-secure lying around rarely USB drive, or forget to shred confidential papers," said Dr Steven Murdoch from University College London.

period

Mr. Pavur the bride-to-be-to him gave permission for the conduct of the tests and helped write the results, but otherwise does not participate in the operation.

So for the correspondence, the researchers used a fake E-Mail address for his partner created, in The Format of "first name-father name-last name@gmail. com".

One of the recipients had one month to respond.

He added that he in addition to proof of identity, a "secure online portal", if necessary. This was a deliberate deception, because he believed that many companies lacked such a facility and would have no time to create one.

The attacks occurred in two waves.

For The First half of the contacted, he only uses The Information described above in detail. But for the second batch, he drew on personal details to light, to answer the of The First group, follow-up questions.

The idea, he said, was found to replicate the type of attack that could be carried out by someone from, only with The Details of, on a basic LinkedIn page or other online public profile.

Fake stamps

If the organization asked for a "strong" type of ID, such as passport or driving license Scan - Mr Pavur rejected.

also decided to create counterfeits more easily forged documents.

So, for example, he would not say to sign the documents, he was concerned. Still, he would send E-Mails with fake headers, if asked to write from The Victim your registered account.

But wanted to try to convince you to accept the Company documents, the mock theoretically, easy-to-verse, but in this case, you could be the source of his fiancée.

So, if a train operator asked for a photo copy of the passport, he convinced him instead to accept post stamp envelope, addressed to the "victim".

In another case, a cyber-security Company agreed to accept a photo of a Bank statement, which was redacted, so that only The Information on the left of the view was the destination with name and address.

Mr. Pavur says that in one case, he accepted a heavily redacted account statement has been

Sometimes such excuses was unnecessary.

An online gaming Company asked for the applicants-account-password. But to say that it has been forgotten, Mr Pavur said, it is revealed his fiancee, the personal data anyway without asking for the alternative test.

Exposed passwords

Mr. Pavur said that a total of 60 different pieces of personal information about his girlfriend, were finally exposed.

These contain a list of previous purchases, 10 digits of your card number, expiration date, and the Issuer and its past and present addresses.

In addition, a threat intelligence Company provided a record of violated user names and passwords he kept on his partner. This worked on a minimum of 10 on-line services, such as you had the same credentials for multiple sites.

In one case, the GDPR request letter was written to The Internet to dispatch at an advertising Agency, which is a violation of privacy in itself. It contained the fiancee's name, address, E-Mail and phone number.

"lucky, it had only very simple data," said Mr. Pavur.

"But you could imagine, someone sends a letter with more detailed information. "

a Total of 83 companies have kept data on his partner, Mr. Pavur said:

las vegas, cyber-security, gdpr, university of oxford

Source of news: bbc.com