submit@infiniteprivacy.com
Personal Privacy

A Researcher Exploited GDPR to Get His Fiancee’s Personal Data

The Infinite Brief
About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.

University of Oxford-based researcher James Pavur noted that while large tech companies performed the best and small companies mostly ignored his requests, medium-sized companies that likely “didn’t have much of a specialised process [to handle requests], failed.”

In one case, the response included the results of a criminal activity check. Other replies included credit card information, travel details, account logins and passwords, and the target’s full US social security number.

Curated from BBC News

Leave a Response