Weaponising the GDPR
A researcher has demonstrated the abject failure of many organisations to verify the identity of someone requesting access to the information held about them. In a presentation at the Black Hat security conference, the Oxford University PhD student explained how he had obtained highly sensitive information about his fiancée (with her permission), including credit card and social security numbers, passwords, and her mother's maiden name. Under the General Data Protection Regulation, EU residents are entitled to be given the data an organisation holds about them. Obviously, this makes it critical to check the person requesting the data is the person it relates to. In this case, a quarter of organisations simply accepted an email address and phone number as proof of identity. It's a reminder that it's essential to have robust procedures in place for responding to Digital Subject Access Requests.