Exploiting GDPR to Get Private Information

A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

  • a UK hotel chain that shared a complete record of his partner's overnight stays

  • two UK rail companies that provided records of all the journeys she had taken with them over several years

  • a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Posted on August 13, 2019 at 6:17 AM • 19 Comments

Comments

AlejandroAugust 13, 2019 6:48 AM

So is this a good thing or a bad thing? A weakness in GDPR?
Why would the law allow someone to get the data on someone else? Seems contrary to protecting private data. Maybe I need some more coffee.

JohnAugust 13, 2019 7:11 AM

>A weakness in GDPR

It has nothing at all to do with GDPR really. It is simply a piece of social engineering which rather vaguely used the existence of GDPR to attempt to put a pressure on its targets. In fact, the companies and organisations which responded to his falsified requests with information about someone else may be (in some cases almost certainly were) in breach of GDPR if they did not take steps deemed reasonable to correctly identify the person before they supplied the data. Doing so is a responsibility of all data controllers under GDPR.

JeremyAugust 13, 2019 7:35 AM

Well, this is what happens when non-technologists – ie. lawyers and politicians – make policies that impact technology. All too common to get some circular logic flaws in what sounds good, vs. what is reasonable and robust.

Take the case for using DHCP to connect to WiFi in a coffee shop, technically this is a violation of GDPR for the coffee shop to store your IP address and MAC address in a DHCP lease that allows your computer to connect. This is also scary because the EU could harm businesses just by targeted enforcement of GDPR.

The same circular and semantic arguments that made GDPR the ultimate trade-in-your-anonymity for a vague promise of privacy; no different is the logic in the laws that dictated which tea kettles, toasters, and vacuum cleaners people were allowed to own, because the argument made good political sense when abstracted from the actual ridiculous context of the laws. "I helped save the environment" and much the same "I helped preserve your privacy."

MikeAugust 13, 2019 7:42 AM

The big question is what will happen to those that refuse to hand out the data because they claim they can't be sure who the requester is.

Especially when the stored data is limited in scope, as it should, it can be hard to verify the owner.
Let's say the business is only storing credit card numbers (in a safe manner). You can't send a data export to a credit card number.

Petre Peter August 13, 2019 8:05 AM

Weak verification will be an issue for as long as we will continue to accept fax signatures. The attacks were not necessarily technical. He was very smart to pressure them with GDPR. The good news in all of these attacks was that at least the companies knew about GDPR. In fact, they were so scared of the law that they were -- in a way--willing to break it to protect it.

andsoAugust 13, 2019 9:35 AM

It's hard to believe that the researcher's actions themselves were not illegal. How is social engineering any different than hacking?

TimHAugust 13, 2019 9:57 AM

"two UK rail companies that provided records of all the journeys she had taken with them over several years"

Under GDPR, this info is surely unecessary data for the business operation and therefore illegally retained.

TimHAugust 13, 2019 10:05 AM

A further thought... UK is pissy about ECHR (think suspects' DNA retention), and probably pissy about GDPR. They want unecessary data retention so as to be able to ask for.

Bet Brexit leads to repudiation of both ECHR (not part of EU treaty though) and GDPR.

Impossibly StupidAugust 13, 2019 10:55 AM

@Bruce

The quoted text linking to the GDPR clipped the query portion of the URL, so it leads to a 404. It should fully be EU's General Data Protection Regulation (GDPR).

@Mike

The big question is what will happen to those that refuse to hand out the data because they claim they can't be sure who the requester is.

Back in December 2017 (pre-GDPR) my company received a data request via the "Chommy" robot, and we decided to refuse to give any specific information because we just didn't see how they could establish legal standing. If personal data is so important (and I would agree that it is), you just can't start handing more of it out to anybody who comes to you with a name and an email address (or whatever). Even asking for a picture of an ID is wrongheaded, because it's possible that it was obtained from another, less security conscious organization via a personal data request! Take it to the courts if getting the data is so important.

Clive RobinsonAugust 13, 2019 12:45 PM

@ TimH,

Under GDPR, this info is surely unecessary data for the business operation and therefore illegally retained.

Under Ken Livingston as Mayor for London, the Transport for London (TfL) organisation he set up registered it's database for those with "Travel Cards" etc.

It might shock you to know that that database has a section for "mental health" for each and every travel card holder, and that TfL reserve the right to use it for legal reasons/action and that the believe they have the right to pass it on to third parties without the travel card holder having any recourse against TfL...

There was complaint at the time about "public authorities" basically claiming they could store and use any and all information they pleased.

Well back then you could actually see the registration and the name of the organisational officer with legal responsability and including the type of data held and for what purposes... However the Data Protection Registras duties then got moved to The Information Commissioners office (ICO)...

https://en.m.wikipedia.org/wiki/Register_of_data_controllers

Now all you can get online when you search the database is the registration identity code which is "Z129176X" for Transport for London. So much for "Open Government" in the UK...

Who?August 14, 2019 2:24 AM

GDPR version 2 (obviously not very industry friendly) but easier to understand and apply:

  1. EU citizens are the only owners of their personal data.
  2. Business cannot commerce with personal, private, data; they can store it only for the minimum amount of time required to reasonably run their activities.
  3. Information must be verifiable destroyed after that amount of time or two years, whatever comes first.
  4. Law enforcement agencies can request that data while not destroyed, but only under a judge authorization.

Simple and not convoluted, not prone to interpretation, just as all laws should be.

LazyJackAugust 14, 2019 4:11 AM

@Jeremy. It is certainly not a breach of GDPR to run a DHCP server.

Actually, GDPR is nothing new, these regulations have existed for decades in the EU countries. Two thing have changed. It is now unified for all of the EU, which is actually a good thing, as there are no per country variations. The other one is the huge fines, as that is the only way to make big companies to comply. The rules are only new to the US, as US companies have usually not been looking very closely at the individual EU country regulations before, their eyes have only been opened by the 4% of global revenue fine. But the fact is, that if you have been in compliance to European data protection regulations before GDPR, it takes very little effort to comply to GDPR.

So why DHCP itself is not against GDPR? GDPR nowhere says that you cannot store data like IP addresses. It says that you cannot have data that identifies or belongs to individual person, without a justified purpose and only for the length of time this purpose stands. You also have to make sure that the subjects is in knowledge of what you store and process on them and they give consent either explicit or implied.Consent is implied when processing personal information that is required for the service you provide.
So if you provide Wifi service to your customers, you do have a justifiable purpose. What you may not do for example is to use this data to identify the person, store their browsing or what coffee they ordered and use that data for other purposes than providing your service to the customer.

AlHAugust 14, 2019 4:16 AM

Do you think this guy realises yet that he's committed (and publicly admitted to) criminal offenses each time he's tried to blag info out of companies? He may have obtained the consent of his girlfriend, but that is irrelevant to the s170 offense in the UK Data Protection Act of unlawfully obtaining info, which makes it an offense to obtain info without the consent of the data controller. Oops! Good luck with that public interest defence son...

StijnAugust 14, 2019 4:52 AM

"In one case, the GDPR request letter was posted to the internet after being sent to an advertising company, constituting a data breach in itself. It contained the fiancee's name, address, email and phone number."

Whait, what?!

TrevorAugust 15, 2019 7:30 AM

On a related issue, there are companies that have been subject to "SAR Bombing" whereby numerous people start a Subject Access Request simultaneously. It's a form of legislative DDoS.

The GDPR requires a company to respond within a short amount of time - it's relatively easy to overwhelm a company's ability to respond.

MartinAugust 16, 2019 11:21 AM

Firstly this is simple social engineering/impersonation attack and the GDPR is a red herring the rights and needs existed under the 98 act as well the only notable difference is he didn't have to pay a fee to start the information rights request process.

The organisations in question have breached GDPR through a failure to implement appropriate Security under Principle 6 which would have been achieved if they had followed the requirements for privacy by design and DPIA's for High Risk Data processing. The GDPR rightly caters for both an individuals right, to access there information as well as its security.

Da5idAugust 21, 2019 4:01 PM

@LazyJack - Thank you for the mythbusting. It bakes my noodle that GDPR is so frequently misrepresented / wilfully misunderstood.

One minor correction, you mention that part of best practice is that consent must be obtained - explicit or implied.
This is not correct.
Consent is only one of the six lawful bases for processing. See the UK Information Commissioner's Office's excellent guidance.

The remaining five lawful bases *do not* require consent.

This is a commonly confused topic. I believe it stems from the fact that GDPR strengthened the underlying definition of consent and increased the fines associated with unsolicited email marketing as defined by Privacy and Electronic Communications Regulations (PECR). Consequently, many people received many requests for consent for companies to keep sending email marketing. This was only really coincidental to the implementation of GDPR and not because GDPR requires consent for all personal data processing. But the press obsessed over GDPR and the two things became inextricably linked in many people's minds. But this is only my hypothesis and I can't really provide evidential proof.

Da5idAugust 21, 2019 4:14 PM

@TimH
Under GDPR, this info is surely unecessary data for the business operation and therefore illegally retained.

Whilst in principle this seems a reasonable assumption, it is not precise. The question is not simply about business operation, but whether a justifiable and reasonable basis and appropriate purposes for data processing have been made sufficiently clear, e.g. in a privacy notice, and whether data processing is consistent with the stated purpose(s).

There is no blanket definition about what is reasonable. Understanding a rail user's history so that you could offer them discounts on future journeys, e.g. if there were a pattern of taking the same journey every month, would, for many people, be considered a reasonable use of personal data. If the privacy notice makes this clear, customers can make informed choices(in the UK you can buy rail tickets from multiple operators).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.