An Oxford University scholar says he was able to trick dozens of European companies into sending him sensitive data about his fiancée, simply by impersonating her while invoking GDPR’s “Right of Access” policy.

Doctor of philosophy student James Pavur, who presented his research findings Thursday at the Black Hat conference in Las Vegas, exploited the policy last February by creating a fake email address from which he sent emails to 150 companies under the assumed identity of his future wife. The email asked the businesses to disclose any personal data they had collected on her. The companies were obligated to respond under the terms of the GDPR regulatory framework.

Of the 150 companies, 84 of them affirmed that they were storing information on her. From among that smaller subset, only 39 percent of businesses insisted that Pavur first verify his identity by presenting a strong form of identification that would be difficult for him to forge, like a passport.

On the other hand, 24 percent willingly provided the fiancée’s information without any further inquisition, while another 16 percent were willing to accept a weak form of identification (such as an email address or phone number, which is easily attainable).

Thirteen percent ignored the request, at the risk of violating GDPR’s “Right of Access” policy, while five percent contended that they were not beholden to the law because they were based in America – a stance that perhaps the courts may one day decide. Another five percent claimed they had no data on her.

Strangely enough, the final three percent immediately deleted the fiancée’s account simply to avoid the trouble of sharing. “Denial of service via GDPR was very much an unintended consequence. Lucky for me. I’m still engaged. None of the accounts were important to her,” said Pavur. “But you can imagine a worse version of this attack, where instead of asking for this information, I told… companies to delete her account, and what impact that might have had on her digital life.”

Oxford University student and researcher James Pavur.

The information Pavur obtained on his fiancée ranged from low to very high sensitivity. Among the most egregious examples involved an educational services company that gave Pavur his fiancée’s her Social Security numbers, mother’s maiden name and high school grades. “…The website of this company suggests they have at least 10 million records like this that are,” said Pavur.

Ironically, another business that disclosed highly sensitive data was a threat intelligence company that analyzes data dumps to determine if organizations have been breached and compromised. This company sent Pavur a list of his fiancée’s old passwords, which were determined to be compromised in past breaches. Customers of online services frequently reuse the same passwords over and over again, which means attackers could abuse Right of Access requests to ascertain their targets’ past and present credentials.

Pavur also tricked a hotel chain into disclosing a list of locations where his fiancée stayed, and fooled a railroad company into revealing her past travel journeys. He even gathered some limited financial information on her, including 10 digits of her credit card and the expiration date.

Pavur’s entire experience was a happy accident that resulted from a bet he made with his fiancée while at an airport in Poland. The couple was annoyed at their treatment by a European airline, and Pavur’s fiancee suggested they get “petty revenge” by wasting the airline’s time with a frivolous Right of Access request.

“I thought that was really clever, but I took it a step further [and said] ‘You know what? This airline is so incompetent, I bet they won’t even check that the requests came from us. I bet I could steal your identity using GDPR.’ She said, ‘You’re on.’ Two months and 150 GDPR requests later, I assembled a treasure trove of sensitive information about her.”

Pavur said his attack is an effective one because European companies face a lot of pressure to respond to Right of Access requests in a timely manner, lest they face potential fines. Typically, they have just one calendar month to respond, Pavur explained.

Moreover, the response process involves a human element that can easily be socially engineered. “Unless you’re a big organization like Facebook or Google who can afford to automate your GDPR process, chances are there’s going to be real person at the end of the line processing [the] request, and even more importantly, this isn’t likely to be your entry level support team,” said Pavur. “This is likely to be someone in your legal department or a data protection officer empowered individuals with the capacity to screw things up. The exact kind of person [we would] want to target is given to us by default, under the pretense of GDPR.”

To mitigate this GDPR vulnerability, Pavur suggests that companies who receive Right of Access requests should require account logins (if available), outsource the process if it’s beyond their capabilities, and refuse the request if it sounds suspicious. He also recommends that European legislators take steps to reassure companies that they can reject requests in good faith, as well as clarify appropriate forms of identity verification and provide government-mediated ID verification services.