Please use this identifier to cite or link to this item:
http://hdl.handle.net/1942/29194
Title: | Personal Information Leakage by Abusing the GDPR 'Right of Access' | Authors: | DI MARTINO, Mariano ROBYNS, Pieter Weyts, Winnie QUAX, Peter LAMOTTE, Wim ANDRIES, Ken |
Issue Date: | 2019 | Publisher: | USENIX | Source: | Proceedings of the Fifteenth Symposium on Usable Privacy and Security, USENIX,p. 371-386 | Abstract: | The General Data Protection Regulation (GDPR) “Right of Access” grants (European) natural persons the right to request and access all their personal data that is being processed by a given organization. Verifying the identity of the requester is an important aspect of this process, since it is essential to prevent data leaks to unauthorized third parties (e.g. criminals).in this paper, we evaluate the verification process as implemented by 55 organizations from the domains of finances, entertainment, retail and others. To this end, we attempt to impersonate targeted individuals who have their data processed by these organizations, using only forged or publicly available information extracted from social media and alike. We show that policies and practices regarding the handling of GDPR data requests vary significantly between organizations and can often be manipulated using social engineering techniques. For 15 out of the 55 organizations, we were successfully able to impersonate a subject and obtained full access to their personal data. The leaked personal data contained a wide variety of sensitive information, including financial transactions, website visits and physical location history. Finally, we also suggest a number of practical policy improvements that can be implemented by organizations in order to minimize the risk of personal information leakage to unauthorized third parties. | Document URI: | http://hdl.handle.net/1942/29194 | Link to publication/dataset: | https://www.usenix.org/conference/soups2019/presentation/dimartino | ISBN: | 9781939133052 | ISI #: | WOS:000527571900022 | Rights: | 2019 by The USENIX Association. All Rights Reserved This volume is published as a collective work. Rights to individual papers remain with the author or the author’s employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. Permission is granted to print, primarily for one person’s exclusive use, a single copy of these Proceedings. USENIX acknowledges all trademarks herein. | Category: | C1 | Type: | Proceedings Paper | Validations: | ecoom 2021 |
Appears in Collections: | Research publications |
Files in This Item:
File | Description | Size | Format | |
---|---|---|---|---|
Revised_GDPR_paper.pdf | Peer-reviewed author version | 1.92 MB | Adobe PDF | View/Open |
soups2019-di_martino.pdf Restricted Access | Published version | 3.28 MB | Adobe PDF | View/Open Request a copy |
WEB OF SCIENCETM
Citations
18
checked on Oct 7, 2024
Page view(s)
128
checked on Sep 7, 2022
Download(s)
34
checked on Sep 7, 2022
Google ScholarTM
Check
Altmetric
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.