A security researcher has identified major flaws in many organisations’ DSAR (data subject access request) procedures.
James Pavur contacted dozens of UK and US-based companies to request personal information about his fiancée in order to see how they would respond.
Two fifths of organisations complied with the request, accepting easily forged documents or without verifying Pavur’s identity at all.
The information they provided included the results of a criminal background check, credit card information, travel details, account credentials and full US Social Security number.
Pavur refused to name the organisations that mishandled the requests, which is wise, because it would encourage miscreants to submit their own fake DSARs and gain access to other people’s personal data.
However, he did name some of the companies that performed well. For example, Tesco asked for photo ID, the North American retail chain Bed Bath & Beyond demanded a telephone interview and American Airlines noticed that Pavur uploaded a blank image to the passport field of its online form.
These good practices were far from common, though. Of the 83 organisations that Pavur contacted and which held information about his partner, 24% supplied personal information without verifying the requester’s identity and 16% requested an easily forged type of ID, like a signature.
Another 13% of organisations ignored the request altogether, which is a violation of the GDPR (General Data Protection Regulation) in its own right.
Only 39% of organisations requested a form of ID that would be difficult to forge, like a passport or bank card.
The GDPR has created security weaknesses
Pavur presented his findings at the Black Hat conference in Las Vegas to show the vulnerabilities that have been created as a result of organisations misunderstanding the GDPR.
Organisations in the EU have always been required to provide copies of personal information upon request. The GDPR has toughened those requirements by, for example, preventing organisations from charging a fee to complete requests and reducing the deadline to respond from 40 days to 1 month.
However, under no circumstances are organisations permitted to provide information relating to someone else. Data subjects can only request information about themselves, and organisations are expected to take reasonable steps to ensure that the person making the request is who they say they are.
Pavur’s requests were made using an email address he created in his partner’s name (she gave him permission to impersonate her). When making his request, he said he could provide ID using a “secure online portal” if required.
If the organisation did request a strong form of ID, Pavur abandoned the con, satisfied that the organisation’s security processes were adequate. Unfortunately, many organisations either took him at his word or accepted documents that could easily be mocked up as proof of identity.
The GDPR should be protecting people
Pavur’s test is another example of the ways the good intentions of the GDPR are backfiring when it isn’t interpreted properly.
Those who complain about the mountain of terms and conditions they have to read – even when they just want to visit a website – or the extra processes their organisations must put in place forget that the GDPR is there to protect people’s privacy and data rights.
When implemented correctly, the Regulation’s requirements are mutually beneficial, keeping data subjects secure and preventing organisations from suffering costly security incidents.
But many organisations have been overwhelmed by the breadth of the GDPR and are failing to act appropriately.
Until organisations adopt a robust DSAR response process, they expose themselves to fraud. Pavur may have been requesting this information to demonstrate organisations’ weaknesses, but how many fraudsters have used the same methods to get hold of sensitive data?
A wake-up call
If access requests weren’t already high on organisations’ lists of priorities, these findings should be a wake-up call.
As Pavur has shown, DSAR response is a complicated task – and he was only looking at organisations’ ability to verify the data subject’s identity.
Organisations also need to get permission from third parties that collect or use the individual’s data, convert the records in an accessible format and respond within a month.
You can learn everything you need to meet these requirements by reading our free guide: A Concise Guide to Data Subject Access Requests.
For a more practical solution, try our DSAR as a Service package. You can concentrate on what your organisation does best while one of our data protection experts takes the reins of your access request process, ensuring that you respond in time and in compliance with the GDPR.