Organizations collect, process, use, and sell massive amounts of their customers’ personal data, often without knowledge or consent of the data subjects. An excellent example of this is Facebook, which has been plagued by scandal after scandal as their use of the data that they collect on their social media platform does not comply with the wishes of their user base.
Beyond the issue of data misuse, organizations have also been plagued by a rash of data breaches in recent years. As the value of consumer data and the size of organizations’ data repositories grows, hackers become more and more incentivized to identify and exploit vulnerabilities in these organizations’ defenses.
As a result, data protection has become a major issue, with many governments issuing data privacy regulations designed to enforce the protection of individuals’ personal data. One of the best known of these regulations is the EU’s General Data Privacy Regulation, which has raised the bar for the protection of the personal data of EU citizens around the world. However, things do not always work out as intended. Recent research has demonstrated that misunderstandings regarding the requirements of GDPR may allow an attacker to use the same provisions designed to protect individuals’ sensitive data to convince organizations to reveal it.
Introduction to the GDPR
The European Union’s General Data Protection Regulation (GDPR) is designed to greatly improve the privacy protections of consumers who are citizens of the EU. While the EU previously had a data privacy regulation, the scope of the protected data and the potential penalties for non-compliance were much lower.
Under the GDPR, the definition of protected data is expanded to include any information that can be used to uniquely identify an individual. This is significant because it changes the scope of protected data from sensitive (like payment card information, etc.) to identifiable (including email address, IP address, etc.). The increased scope of sensitive data means that many organizations are forced to change their data management policies to properly protect this data.
Another impact of GDPR is a change in how businesses can achieve consent to collect data. Previously, consent agreements typically operated on the “opt out” policy, where a user signs away many rights by using software with a license agreement written in deliberately unreadable legalese. Under the GDPR, license agreements and privacy policies must be easily readable and understandable by the average human being, and consumers must explicitly opt into data collection and processing and can demand access to or deletion of their data at any time.
The last major change implemented by GDPR is a dramatic increase in the penalties that can be levied against non-compliant organizations. Under the GDPR, a regulator can impose a fine of 20 million euros or 4% of global turnover, whichever is greater.
Shortcomings of GDPR
While the GDPR is designed to improve individuals’ personal privacy and data security, it can also, in practice, pose a significant threat to it. One of the provisions of the GDPR states that an organization who has collected an individual’s personal data must disclose this information to the person upon request. While this is designed to help an individual understand their personal data exposure, it also can be misused to violate their privacy.
This was the topic of a talk at the Black Hat hacker conference in August 2019. The speaker had conducted an experiment where, with the consent of his fiancée, he made requests in her name for the data collected about her by 150 different companies. The results of his requests demonstrated how poorly these organizations understand and implement GDPR.
One discovery was the number of companies that would provide sensitive data about her with little or no verification. 24% of companies accepted an email address and phone number as proof of identity, while another 16% accepted documents that could be easily faked. As a result, the security researcher received data including (but not limited to):
- Full Social Security Number
- Mother’s maiden name
- Credit card data
- Online account credentials compromised in breaches (some still in use)
This information could easily be collected by an attacker and is enough to commit any number of other cybercrimes or identity theft. In response to the request, several US organizations claimed that GDPR provisions did not apply to them, demonstrating a lack of understanding of the law. GDPR applies to any organization with a large number of EU citizens as clients.
Data Protection Implications of GDPR
The provisions of the GDPR have significantly raised the bar for organizations wishing to do business in the EU and for governments wishing to have relationships allowing mutual data exchange.
However, the results of the security researcher’s test of GDPR compliance demonstrates that many organizations have a long way to go in protecting sensitive personal data. While implementation of a comprehensive data protection solution is a necessary component of avoiding data breaches, an even more important aspect is not giving out the data to hackers in the name of a data privacy regulation.
Organizations are increasingly collecting massive amounts of consumers’ personal data, often without their explicit knowledge or consent. As a result, these organizations also have the obligation to understand and comply with data protection regulations and to implement a robust data protection solution to protect both their customers’ personal information and their own sensitive data.