Personal Information Leakage by Abusing the GDPR 'Right of Access'

Authors: 

Mariano Di Martino and Pieter Robyns, Hasselt University/tUL, Expertise Centre For Digital Media; Winnie Weyts, Hasselt University - Law Faculty; Peter Quax, Hasselt University/tUL, Expertise Centre For Digital Media, Flanders Make; Wim Lamotte, Hasselt University/tUL, Expertise Centre For Digital Media; Ken Andries, Hasselt University - Law Faculty, Attorney at the Brussels Bar

Abstract: 

The General Data Protection Regulation (GDPR) 'Right of Access' grants (European) natural persons the right to request and access all their personal data that is being processed by a given organization. Verifying the identity of the requester is an important aspect of this process, since it is essential to prevent data leaks to unauthorized third parties (e.g. criminals). In this paper, we evaluate the verification process as implemented by 55 organizations from the domains of finances, entertainment, retail and others. To this end, we attempt to impersonate targeted individuals who have their data processed by these organizations, using only forged or publicly available information extracted from social media and alike. We show that policies and practices regarding the handling of GDPR data requests vary significantly between organizations and can often be manipulated using social engineering techniques. For 15 out of the 55 organizations, we were successfully able to impersonate a subject and obtained full access to their personal data. The leaked personal data contained a wide variety of sensitive information, including financial transactions, website visits and physical location history. Finally, we also suggest a number of practical policy improvements that can be implemented by organizations in order to minimize the risk of personal information leakage to unauthorized third parties.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {238287,
author = {Mariano Di Martino and Pieter Robyns and Winnie Weyts and Peter Quax and Wim Lamotte and Ken Andries},
title = {Personal Information Leakage by Abusing the {GDPR} {\textquoteright}Right of Access{\textquoteright}},
booktitle = {Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019)},
year = {2019},
isbn = {978-1-939133-05-2},
address = {Santa Clara, CA},
pages = {371--385},
url = {https://www.usenix.org/conference/soups2019/presentation/dimartino},
publisher = {USENIX Association},
month = aug
}

Presentation Video