About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.
The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.
University of Oxford-based researcher James Pavur noted that while large tech companies performed the best and small companies mostly ignored his requests, medium-sized companies that likely “didn’t have much of a specialised process [to handle requests], failed.”
In one case, the response included the results of a criminal activity check. Other replies included credit card information, travel details, account logins and passwords, and the target’s full US social security number.