Over a year since the General Data Protection Regulation (GDPR) was launched in May 2018, some businesses still don’t have clear policies and procedures to ensure compliance when it comes to quite simple tasks.

Something as benign as handling a Subject Access Request (SAR) (which gives individuals the right to obtain a copy of their personal data, as well as other supplementary information, you hold on them) is causing confusion and a potential security loophole.

A recent Blackhat USA Whitepaper by Oxford University researcher, James Pavur, and Security Consultant, Casey Knerr, explored the possibility that the personal privacy laws could provide the opportunity for criminals to profile and steal an individual’s information.

The theory

The paper’s abstract considers legal ambiguity as a chance for social engineers (people who trick someone into divulging confidential or personal information, usually through technology, that may be used by or sold on to criminals to commit fraudulent activity) to access people’s personal information by way of exercising a ‘right of access’ ie a SAR.

The experiment

To test their theory, the Whitepaper’s authors conducted an experiment. One author played ‘attacker’ and the other the ‘victim’.

The test was simple. SARs were sent out by the attacker to 150 organisations in the victim’s name, without her direct participation or interaction.

The attacker had only scant knowledge of the victim to start with being full name, guessed email address, phone numbers (gained from employer’s website etc) and basic tools e.g. the ability to send emails and perhaps falsify simple documents. More advanced capabilities such as poof email headers or forged signatures etc were not employed.

In addition to the personal information, should the attacker gain further information e.g. home address and so on, from companies following the receipt and response of the SAR, the attacker could then use information this going forward.

The SAR letter, whose text was appended in the whitepaper, was designed to be vague and requested two kinds of information. The first was requesting information that an organisation has shared with third-parties and the second request was for information regarding personal data that has “been disclosed inadvertently as a result of a security or privacy breach”.

Both requests were designed to set the cat amongst the pigeons and raise tension in the recipient organisation that they might have knowledge of a disclosed (or indeed undisclosed) data breach.

A fake email address was set up impersonating the victim and letters sent from that account.

The attempt was to replicate an attacker who had no prior knowledge of the victim gaining personally identifiable and valuable information from a handful of well-known organisations within a range of sectors.

By targeting many organisations for one victim’s information, even if a small number responded with information, this information may prove enough for an attacker’s intended purpose. Information received back from these organisations was then recorded and analysed.

The result

A quarter of the organisations did not respond to the request or said they were not liable to respond.

The remaining three quarters responded. Two thirds of which responded in such a way as to reveal whether the victim had used their services or not. Not personally identifiable information, but an indication of the profile and tendencies of the victim.

As this was a small experiment, their sample wasn’t large enough to make any industry-specific tendency conclusive observations. However, they did find within this sample set that organisations such as banks or airlines and social media organisations were less vulnerable to this kind of attack, with sectors like the arts and education (probably less likely to handle GDPR requests) were more likely to reveal sensitive information. Larger organisations tended to perform better in their response to the SAR than smaller organisations, many of whom tended to ignore the requests.

There did, however, seem to be a “social-engineering sweet-spot” with the mid-sized organisations, as they accounted for 70% of the mishandled requests.

In total, over 60 distinct pieces (ie pieces that were previously unknown) of personally identifiable information were obtained of various sensitivities.

In conclusion

Whilst there is no evidence to suggest that cyber criminals would employ this kind of approach to harvest valuable personally identifiable information, over recent years we are seeing social engineering attacks overtake technical hacks.

It is certainly a concern that these two researchers were able to gain much personally identifiable information and personal trends on the ‘victim’ from this experiment. Businesses need to ensure that their SAR handling and response processes are clear, and that an optimal secure approach to ID verification is employed when dealing with SARs, to ensure that information is being shared with the real person and not a criminal.