gabe@gabegold.com
Date: Thu, 8 Aug 2019 17:51:23 -0400
About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.
The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.
In each case, he asked for all the data that they held on his fiancee.
In one case, the response included the results of a criminal activity check.
Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.
University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.
It is the first known test of its kind to exploit the EU's General Data
Protection Regulation (GDPR), which came into force in May 2018.
"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.
"Small companies tended to ignore me.
https://www.bbc.com/news/technology-49252501
[Also noted by others. PGN]