Skip to main content

GDPR requests exploited to leak personal data

(Image credit: Image Credit:

Under GDPR (opens in new tab), people have what's known as “right of access”. If a user demands all the information a company has on them, the company must comply. But what if the user was actually a fraudster, claiming to be someone they’re not?

That’s what University of Oxford cybersecurity researcher James Pavur set to find out, and released his findings at the Black Hat conference in Las Vegas. While some companies did good and spotted the fraud attempt, other weren’t as diligent.

As a result, the researcher managed to get a hold of his fiancé’s sensitive information (opens in new tab), including credit card information, travel details, account logins and passwords, full US social security number, as well as the results of a criminal activity check.

Although he didn’t name any names when it comes to companies that had failed the test, he did say the industries they were coming from. Thus, a UK hotel chain shared data of her overnight stays, two UK rail companies shared records of all the trips she had taken with them over many years, while a US-based educational company shared high school grades, mother’s maiden name and the results of a criminal activity check.

Tesco, Bed Bath and Beyond, as well as American Airlines – passed the test.

According to Pavur, large companies are usually doing a pretty good job. Small companies, on the other hand, usually ignore such requests. It’s those in the middle that mess things up, mostly. They know about GDPR (opens in new tab), but don’t have anyone specialised to handle such requests.

More details about the research can be found on this link

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.