M. Cagnazzo, T. Holz, N. Pohlmann:
„GDPiRated – Stealing Personal Information On- and Offline”.
In Proceedings of the European Symposium on Research in Computer Security – ESORICS19
The European General Data Protection Regulation(GDPR) went into effect in May 2018. As part of this regulation, theright toaccesswas extended, it grants a user the right to request access to allpersonal data collected by a company about this user. In this paper, we present the results of an empirical study on data exfiltration attacksthat are enabled by abusing these so calledsubject access requests. Morespecifically, our GDPiRated attackis performed by sending subject accessrequests (as demanded by the GDPR) with spoofed recipient addresseseither in the on- or offline realm. Our experimental results show that entities accepting and processing offline requests (e.g., letters) performworse in terms of ensuring that the requesting entity is the correct data subject. The worrying finding is that affected organizations send personaldata to unverified requests and therefore leak personal user data. Ourresearch demonstrates a novel attack on privacy by abusing a right the GDPR tries to protect.
On May 25, 2018, the General Data Protection Regulation (GDPR) went into
effect in the European Union. Its major goal is to harmonize privacy protection mechanisms across the European Union (EU) and enable users to exercise their rights, whenever and wherever data of them is processed. On- and offline services provided to European citizens are affected by these changes and required to adopt this regulation. An important aspect of the GDPR is the right to access, which grants a user the right to request access to all personal data collected by a company about this user via a so called subject access request (SAR). While these changes are generally considered positive in terms of privacy and transparency for users, little research has been done on how these new mechanisms could be exploited by an adversary trying to gather personal information. In this paper, we describe an empirical case study we conducted in the year 2018 using rather simple techniques to exfiltrate personal data out of municipal, healthcare, and other providers that process sensitive data. Broadly speaking, we send SARs to a company and request access to data belonging to a victim user, an attack we call GDPiRate attack. Due to the private nature of the data we exfiltrated and the fact that most of the services we examined are dentityand location-based in terms of who uses the platforms, we decided to conduct only a small case study with data from the authors to not harm any person. We also took special measures to limit the potential impact of our analysis and to perform the attack in a responsible way. The exfiltrated data could especially be misused by attackers who are trying to dox other users or want to conduct targeted (spear)phishing attacks in an advanced persistent threat (APT) or a fraud scheme. Our experiments hence required special handling of sensitive data.