Skip to main content

GDPR requests exploited to leak personal data

(Image credit: Image Credit:

Under GDPR, people have what's known as “right of access”. If a user demands all the information a company has on them, the company must comply. But what if the user was actually a fraudster, claiming to be someone they’re not?

That’s what University of Oxford cybersecurity researcher James Pavur set to find out, and released his findings at the Black Hat conference in Las Vegas. While some companies did good and spotted the fraud attempt, other weren’t as diligent.

As a result, the researcher managed to get a hold of his fiancé’s sensitive information, including credit card information, travel details, account logins and passwords, full US social security number, as well as the results of a criminal activity check.

Although he didn’t name any names when it comes to companies that had failed the test, he did say the industries they were coming from. Thus, a UK hotel chain shared data of her overnight stays, two UK rail companies shared records of all the trips she had taken with them over many years, while a US-based educational company shared high school grades, mother’s maiden name and the results of a criminal activity check.

Tesco, Bed Bath and Beyond, as well as American Airlines – passed the test.

According to Pavur, large companies are usually doing a pretty good job. Small companies, on the other hand, usually ignore such requests. It’s those in the middle that mess things up, mostly. They know about GDPR, but don’t have anyone specialised to handle such requests.

More details about the research can be found on this link