About one in four businesses disclosed private information to the partner of a woman who, by quoting an EU privacy law, had made a bogus request for the data.
The safety specialist approached dozens of UK and US-based companies to test how they would manage someone else’s “right of access” application.
He asked for all the data they had on his fiancée in each situation.
In one situation, criminal activity check findings were included in the results.
Other responses included information about credit cards, details travel, account logins and passwords, and the full U.S. social security number of the person.
At the Black Hat meeting in Las Vegas, Oxford-based scientist James Pavur submitted his results.
Taking advantage of the EU General Data Protection Regulation (GDPR), which entered into force in May 2018, is one of the first exams of its kind. The legislation reduced the time that organizations were required to react to demands for data, added fresh kinds of information to be provided, and increased the potential punishment for non-compliance.
he informed the BBC that usually, they tended to do really well if it was an exceptionally big business-particularly tech ones,” he informed the BBC.
Small enterprises tended to disregard it But the kind of mid-sized enterprises that had knowledge of GDPR, but perhaps did not have much of a specialized system[ to manage requests], failed.’
He declined to point out the organizations that had mismanaged the applications, but said they included:
- A UK hotel chain that shared a full record of the overnight stay of its partner
- UK railway firms that supplied records of all the trips they had taken with them over several years
- A US-based instructional firm that handed over their high school grades, the mother’s maiden name and the outcomes of a criminal background study, however,
Mr Pavur named some of the businesses that he said he had. He said they included:
- The Tesco supermarket, which requested a picture identification.
- The national retail chain Bed Bath and Beyond, which insisted on a telephone interview with American Airlines, which found that it had uploaded a blank picture to its internet form’s passport field.
One autonomous specialist stated that the results were a’ true problem.’
Dr. Steven Murdoch of University College London said that sending personally identifiable information to the incorrect individual is as much a data breach as leaving an unencrypted USB drive lying around or forgetting to shred private documents.