Under the GDPR, consumers have what is called subject access or right of access, which allows them to request copies of the data companies have collected on them. Consumers can make subject requests verbally or in writing, and companies have up to one month to respond to them. As a general rule, companies are not permitted to charge fees in connection with the handling of these requests.
The benefits of subject access to consumers are obvious, but according to research conducted by Oxford University PhD student James Pavur, in their efforts to comply with the GDPR, businesses are routinely failing to ensure that these subject access requests are legitimate. As a result, consumers are being put at risk.
As detailed in a presentation he gave at the Black Hat security conference in Las Vegas, Pavur sent 150 GDPR requests to companies in his fiancée’s name. Almost three-quarters of the companies responded to the requests, and 83 indicated that they had data associated with his fiancée. Of those, nearly a
quarter provided Pavur with his fiancée’s data after receiving little more than an email address and/or phone number as verification of identity. Sixteen percent accepted documentation that could be easily forged.
Disturbingly, Pavur was able to obtain sensitive information about his fiancée, sometimes with little to no identity verification. In one instance, he received his fiancée’s US social security number without having provided any identity verification documents. All told, 60% of the instances in which Pavur received data from a business — an instance being defined as “previously unknown personal information of a particular type” — would have had plausible utility to a bad actor and 15% would have had obvious utility to a bad actor.
Pavur was also able to show how data from different businesses could be combined by bad actors. For example, based on multiple requests, he was able to obtain 10 digits of his fiancée’s credit card number, the card’s expiration date, originating bank and postcode. Interestingly, based on a GDPR request to a threat intelligence firm, he was also able to obtain breached usernames and passwords belonging to his fiancée, some of which he found she still used on other online services, including a banking service.
An urgent need
Clearly, subject access creates a significant and previously not well-publicized risk for businesses.
While GDPR compliance has been a great concern for many companies, and Pavur’s research indicates that a large percentage are taking subject access requests seriously, the lack of a standard for what constitutes reasonable identity verification leaves companies vulnerable and gives bad actors the ability to turn a consumer data protection law into a weapon for stealing consumer data.
Perhaps not surprisingly, just as small and mid-sized organizations struggled the most to prepare for the GDPR, these organizations also appear to be the most vulnerable to subject access abuses. According to Pavur, the largest organizations he sent requests to “tended to perform well”. Non-profits and mid-sized businesses, on the other hand, were responsible for 70% of the mishandled requests.
“This may suggest that there is a ‘social-engineering sweet-spot’ targeting organizations large enough to be aware of and concerned about GDPR, but also small enough to not have dedicated significant resources towards compliance,” he opined.
Because the potential liabilities of providing consumer data to bad actors are so high, companies of all sizes should prioritize subject access compliance going forward. While the GDPR might not prescribe specific requirements for identity verification, companies should create formal procedures and requirements for these requests.
As part of this, they should consider adopting common sense identity verification techniques, such as requiring consumers to log into accounts known to be associated with them or, when that is not possible, requiring consumers to supply government-issued photo IDs as evidence they are who they say they are.
Additionally, companies should create policies designed to prevent data from being leaked as a result of suspicious subject access requests, such as requests that originate from email addresses not known to be associated with the subject.
By taking these steps immediately, companies can make themselves less vulnerable and help ensure the goal of the GDPR is not compromised by efforts to comply with it.