Prof. Dr. Norbert Pohlmann Home mobile
slider

GDPiRated – Stealing Personal Information On- and Offline

GDPiRated – Stealing Personal Information On- and Offline Prof. Dr. Norbert Pohlmann - Cyber-Sicherheitsexperten

GDPiRated – Stealing Personal Information On- and Offline Pohlmann

400 - GDPiRated - Stealing Personal Information On- and Offline - Prof. Norbert Pohlmann

M. Cagnazzo, T. Holz, N. Pohlmann:
„GDPiRated – Stealing Personal Information On- and Offline”.
In Proceedings of the Eu­ropean Sym­po­si­um on Re­se­arch in Com­pu­ter Se­cu­ri­ty – ESORICS19

The EuropeanGeneral Data Protection Regulation(GDPR)went into effect in May 2018. As part of this regulation, theright toaccesswas extended, it grants a user the right to request access to allpersonal data collected by a company about this user. In this paper,we present the results of an empirical study on data exfiltration attacksthat are enabled by abusing these so calledsubject access requests. Morespecifically, ourGDPiRate attackis performed by sending subject accessrequests (as demanded by the GDPR) with spoofed recipient addresseseither in the on- or offline realm. Our experimental results show thatentities accepting and processing offline requests (e.g., letters) performworse in terms of ensuring that the requesting entity is the correct datasubject. The worrying finding is that affected organizations send personaldata to unverified requests and therefore leak personal user data. Ourresearch demonstrates a novel attack on privacy by abusing a right theGDPR tries to protect.

kostenlos downloaden
400 - GDPiRated - Stealing Personal Information On- and Offline - Prof. Norbert Pohlmann
500x500