GDPArrrrr: Using Privacy Laws to Steal Identities

12/02/2019
by   James Pavur, et al.
0

The General Data Protection Regulation (GDPR) has become a touchstone model for modern privacy law, in part because it empowers consumers with unprecedented control over the use of their personal information. However, this same power may be susceptible to abuse by malicious attackers. In this paper, we consider how legal ambiguity surrounding the "Right of Access" process may be abused by social engineers. This hypothesis is tested through an adversarial case study of more than 150 businesses. We find that many organizations fail to employ adequate safeguards against Right of Access abuse and thus risk exposing sensitive information to unauthorized third parties. This information varied in sensitivity from simple public records to Social Security Numbers and account passwords. These findings suggest a critical need to improve the implementation of the subject access request process. To this end, we propose possible remediations which may be appropriate for further consideration by government, industry and individuals.

READ FULL TEXT

page 5

page 6

research
12/08/2020

Class Clown: Data Redaction in Machine Unlearning at Enterprise Scale

Individuals are gaining more control of their personal data through rece...
research
12/11/2019

Judge, Jury Encryptioner: Exceptional Access with a Fixed Social Cost

We present Judge, Jury and Encryptioner (JJE) an exceptional access sche...
research
11/20/2018

Privacy Issues and Data Protection in Big Data: A Case Study Analysis under GDPR

Big data has become a great asset for many organizations, promising impr...
research
05/16/2019

To Warn or Not to Warn: Online Signaling in Audit Games

Routine operational use of sensitive data is commonly governed by laws a...
research
11/21/2018

The Unwanted Sharing Economy: An Analysis of Cookie Syncing and User Transparency under GDPR

The European General Data Protection Regulation (GDPR), which went into ...
research
08/29/2023

Needle in the Haystack: Analyzing the Right of Access According to GDPR Article 15 Five Years after the Implementation

The General Data Protection Regulation (GDPR) was implemented in 2018 to...
research
06/08/2020

Engineering Privacy by Design: Are engineers ready to live up to the challenge?

Organizations struggle to comply with legal requirements as well as cust...

Please sign up or login with your details

Forgot password? Click here to reset