LAS VEGAS — The European Union's new data-protection laws, meant to ensure Europeans' privacy, are instead a treasure trove for identity thieves, an Oxford security researcher demonstrated during the Black Hat conference here Thursday (Aug. 8).
James Pavur, an American studying at Oxford as a Rhodes Scholar, easily got sensitive personal information about another European resident — his fiancee Casey Knerr, with her consent — simply by pretending to be her and then asking 150 companies, mostly in the United Kingdom and the United States, for copies of the data the companies collected about her.
In response, he got his fiancee's Social Security number, 10 digits of her credit-card numbers, the usernames and passwords for several of her online accounts and lists of train trips she had taken and hotels she had stayed in.
"Poorly considered privacy legislation can actually endanger privacy," Pavur said in his talk. He recommended that European residents check with the companies with which they have accounts for any unauthorized requests for data, and that European lawmakers let companies reject requests for information that seem suspicious.
All companies operating in the European Union must provide any European resident who asks with copies of the data those companies collect about that person. This is because of the Right of Access section in the General Data Protection Regulation (GDPR) enacted in May 2018.
The GDPR applies to all companies doing any kind of business in Europe, which includes most major American tech companies. U.S. or Canadian residents don't have the same Right of Access and usually can't just request their own data. (Here's how to do it with Apple, Google or Facebook, however.)
The truth is, though, that "many organizations fail to employ adequate safeguards against Right of Access abuse and thus risk exposing sensitive information to unauthorized third parties," as Knerr and Pavur wrote in a white paper (opens in new tab) released in conjunction with Pavur's Black Hat presentation (opens in new tab).
Getting the goods
Posing as Knerr, Pavur contacted 75 different companies with a boilerplate email message asking for all the data they had on her. He used mainly data that could be obtained from public records, such as Knerr's name from a LinkedIn profile or a personal or company website. He did make up a fake Gmail address using the common first-name-last-name format.
In a second phase, Pavur contacted another 75 companies using the same email message, but with the ability to use personal data collected in the first wave if any of the second-phase companies asked for additional proof of identity.
Overall, 23% of the companies contacted never responded to Pavur's email. Another 5% said they had no obligation to provide the data, even though the GDPR says they do. But 72%, or 108 total companies in total, handled the requests for data.
In some cases, the companies didn't ask for verification that Pavur actually was his fiancee, other than his affirmation that he was. Other companies asked for an image of Knerr's driver's license, a document that Pavur said could easily be forged, although he didn't do so.
Of those companies that handled the requests, 39% demanded strong verification, such as asking the requester to log into Knerr's account with them or to respond to a verification message sent to Knerr's real email address. Pavur went no further with those. A few companies said they had no data on Knerr, and a few more deleted her accounts rather that provide the data.
A firehose of information
But 24% of the companies who handled the requests gave Pavur Knerr's personal data without any form of verification. Another 16% asked for verification that was so weak, such as a utility bill or a postmarked envelope addressed to the subject, that Pavur provided realistic-looking facsimiles which worked.
A British rail company gave Pavur an itinerary of Knerr's train travels over the past year. A hotel chain gave him all the dates in which Knerr had stayed with them, as well as how often she had connected to the hotel Wi-Fi.
None of that can be used to steal someone's identity, but it could certainly be used to track an individual who traveled often to the same destinations and stayed in the same hotels.
Pavur did get very sensitive information without trying too hard. A "major educational service" gave him Knerr's full name, date of birth and Social Security number -- a perfect identity-theft package.
An information-security firm gave him a list of Knerr's email addresses that had been compromised in data breaches, plus the passwords associated with those email addresses. Several companies gave him Knerr's partial credit-card numbers; not enough to go on a shopping spree, but perhaps enough to use as verification when trying to break into someone else's bank account.
Scared into spilling the beans
Pavur said the reason many companies gave up the data without much, if any, proof of identity was simple: They're scared. GDPR violations can trigger enormous fines: up to €10 million (US$11 million) or 4 percent of worldwide annual revenue, whichever is greater.
As Pavur and Knerr cited in their white paper, France has already hit Google with a fine of €50 million for abusing personal data for advertising purposes, and the U.K. has fined British Airways and Marriott International €183 million and €99 million, respectively, for permitting massive theft of personal data in breaches of their systems.
Futhermore, companies have only one month to provide each requester with a full set of his or her personal data. But there's no clear definition of what kind of identification requesters must provide when asking for their data. Companies are also not allowed to collect any additional personal data to verify the requester's identity, but must work with what they already have.
As a result, many companies — mainly medium-sized organizations, Pavur observed — simply gave up the data without much of a fuss.
How to fix this
Pavur recommended that companies complying with the GDPR Right of Access require that anyone requesting their data first log into their own accounts on the companies' services — perhaps not such an obvious step when the standard mechanism to request the data is to mail a letter or send an email message.
Pavur said companies should reject suspicious GDPR Right of Access requests, which may seem obvious. But before that can be made a general policy, European legislators will have to let them do so without incurring fines. Pavur said the lawmakers should also clarify which forms of ID are acceptable in making Right of Access requests.