Mariano Di Martino and Pieter Robyns, Hasselt University/tUL, Expertise Centre For Digital Media; Winnie Weyts, Hasselt University - Law Faculty; Peter Quax, Hasselt University/tUL, Expertise Centre For Digital Media, Flanders Make; Wim Lamotte, Hasselt University/tUL, Expertise Centre For Digital Media; Ken Andries, Hasselt University - Law Faculty, Attorney at the Brussels Bar
The General Data Protection Regulation (GDPR) 'Right of Access' grants (European) natural persons the right to request and access all their personal data that is being processed by a given organization. Verifying the identity of the requester is an important aspect of this process, since it is essential to prevent data leaks to unauthorized third parties (e.g. criminals). In this paper, we evaluate the verification process as implemented by 55 organizations from the domains of finances, entertainment, retail and others. To this end, we attempt to impersonate targeted individuals who have their data processed by these organizations, using only forged or publicly available information extracted from social media and alike. We show that policies and practices regarding the handling of GDPR data requests vary significantly between organizations and can often be manipulated using social engineering techniques. For 15 out of the 55 organizations, we were successfully able to impersonate a subject and obtained full access to their personal data. The leaked personal data contained a wide variety of sensitive information, including financial transactions, website visits and physical location history. Finally, we also suggest a number of practical policy improvements that can be implemented by organizations in order to minimize the risk of personal information leakage to unauthorized third parties.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.