GDPArrrrr: Using Privacy Laws to Steal Identities

Conference:  BlackHat USA 2019



The presentation discusses how privacy laws should enhance privacy and not endanger it. It highlights the vulnerabilities in the right of access process under GDPR and how attackers can exploit them.
  • Privacy laws should enhance privacy and not endanger it
  • The right of access process under GDPR is vulnerable to social engineering attacks
  • Attackers can exploit the ambiguity in the term 'reasonable measures' to verify identity
  • Attackers can create deliberately vague or complicated requests to push up against time deadlines
  • Companies should have secure online portals to receive identity documents
  • The threat model for data is more complicated than an adversarial model of regulator versus regulated
The speaker roleplayed a social engineering attack on the right of access process under GDPR. They impersonated their fiancee and sent a letter to organizations requesting personal information. The letter was deliberately vague and complicated to push up against the time deadline of 28 days. The speaker also exploited the ambiguity in the term 'reasonable measures' to verify identity and set up a pretense of refusal to provide identity documents. This made it even harder for the receiving company to verify their identity. The speaker highlighted the need for companies to have secure online portals to receive identity documents.


On May 25, 2018 the European Union's General Data Protection Regulation (GDPR) came into effect, bringing with it the most expansive governmental effort to regulate data security and privacy to date. Among the GDPR's many provisions is the "Right of Access," which states that individuals have the right to access their personal data. This provision can be easily abused by social engineers to steal sensitive information that does not belong to them.My research centers on a practical case study wherein I attempted to steal as much information as possible about my fiancé (with her consent) using GDPR Subject Access Requests. In a survey of more than 150 companies, I demonstrate that organizations willingly provide highly sensitive information in response to GDPR right of access requests with little or no verification of the individual making the request. This ranges from typical sensitive identity data like addresses and credit card information to esoteric data such as a history of train journeys or a list of domains owned. While far too often no proof of identity is required at all, even in the best cases the GDPR permits someone capable of stealing or forging a driving license nearly complete access to your digital life. Moreover, the highly standardized nature of GDPR requests makes it possible to automate this process at immense scale and provides one of the most reliable general phishing attack typologies to date.This is a solvable problem, and one which could have been incorporated into the initial GDPR if regulatory legislation were subjected to security assessments like those used for modern software. The presentation suggests possible remediations and offers a cautionary tale for future policymakers designing GDPR-inspired privacy legislation. It also suggests short-term ways in which individuals and businesses seeking to protect themselves against these attacks.



Post a comment

Related work

Conference:  Black Hat Asia 2023
Authors: Guangdong Bai, Qing Zhang, Guangshuai Xia

Authors: Adarsh Nair, Greeshma M R