How difficult can be it be to implement the laws of Digital Age is coming out in the open with over a year of General Data Protection Regulation (GDPR) implementation. Notwithstanding some landmark Big Fine judgements, the progress is tardy. The Gold Standard of Data Protection which the world is looking upto is still a long way to reach the comfort level for the regulator and users. Data theft has to be an aberration, but it continues to be the norm. The unintended consequences are more scary. James Pavur, a PhD student of Oxford University, in the world famous Black Hat Conference recently talked about GDPR being an identity thief’s dream ticket to Europeans’ data.
He has elaborated that ”sloppy implementation and a little social engineering can make it a heaven for identity thieves.“ This is a different angle to the same human problem we face in cases of hacks / breaches. The people who handle GDPR requests because of it being treated as a legal issue are usually dealt by admin or legal staff. They don’t have any background in security and can very easily be fooled by simplest tricks of social engineering. Might be they wouldn’t be knowing that something called social engineering exists.
Pavur sent out 150 GDPR requests in his fiancée’s name requesting any data on her. 72% of the companies replied and of these responses 24% simply accepted an email address and phone number as a proof of identity and send information on her fiancée. 16% requested easily forged ID information and 3% took the extreme step of deleting the accounts. One interesting fact emanates is that the companies are in a hurry to give away before the one month timeline and the likelihood of a fine. ”it may come as a court case, but being seen to protect data of customers would not be a bad thing.”
Most companies gave all details. The saving grace is that a lot of companies asked for account login details as the proof of identity. This is a worthwhile idea. Lawmakers need to decide what is a legitimate form of ID for GDPR requests. Privacy laws have exploitable vulnerabilities. ”If we’d look at these vulnerabilities before the law in enacted, we could pick on them.”
GDPR EVOLUTION WOULD FINALLY CREATE A GOLD STANDARD FOR DATA PROTECTION.