When GDPR came into force in May 2018, one of its stipulations was that companies have just one month to respond to a “right of access” or “subject access request” (SAR), whereby you can request to have access to all data that any given company holds about you.
In a bid to test how this could possibly be exploited, a researcher and security expert has revealed how he contacted dozens of UK and US-based firms using a fake email address in his fiancee’s name (with her consent), in an attempt to see how they would handle a “right of access” request made in some else’s name.
Shockingly, of the 84 companies contacted, 24% of them supplied the personal information without even checking the requester’s identity.
A further 16% requested an easily forged type of ID (that he did not provide) and only 39% asked for a “strong” type of ID.
But how strong is ‘strong’ ID?
Strong ID is something like a passport of driving licence – but we’ve often had this discussion in the office, about how easy it would be to get access to ‘strong ID’.
How easy would it be for you to get hold of your partner’s passport – which is usually held in a shared location at home – and send a copy as ‘proof’ of identity, in order to get access to their personal data?
An exploit waiting to happen?
So, it would seem that the problem with receiving a subject access request is that criminals can use this as a way of obtaining personal information to use in Identity Fraud. Why go to the trouble of trying to hack an organisation, when all you need to do is create a GoogleMail account that resembles an individual’s name, and then email a Subject Access Request on their behalf?
It will be interesting to see how the industry reacts to this type of threat and if companies will tighten their responses to subject access requests moving forwards. As GDPR continues to unfold, we’ll just have to watch this space.