An anonymous reader quotes a report from Motherboard: Europe’s controversial privacy law, the General Data Protection Regulator — better known as GDPR — has been hailed by some as a solution to tech companies’ pervasive data collection and tracking. What maybe no one saw coming is that GDPR can become another tool in the arsenal of enterprising and malicious social engineers, hackers, and people who want to dox and harass others. That’s what Ph.D student and cybersecurity researcher James Pavur discovered when he and his fiance — and co-author on their paper — Casey Knerr made an unusual wager about using GDPR’s right of access requests — a mechanism that allows Europeans to ask any company about what data they have on themselves — with the goal of extracting sensitive information.
Along with his fiance Knerr, who also works in the infosec industry — and with her full consent — Pavur devised a clever, yet very simple experiment. He started with just Knerr’s full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, “the weakest possible form of attack,” as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data — such as home addresses — he found through the first wave of requests using an email address designed to look like that of Knerr. Thanks to these requests, Pavur was able to get his fiance’s Social Security Number, date of birth, mother’s maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services. “Pavur and Knerr said 25 percent of companies never responded. Two thirds of companies, including online data services, responded with enough information to reveal that Pavur’s fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender.
Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would’ve been relatively hard to fake, according to the study.