DSAR test reveals huge data breach potential


A phoney data subject access request (DSAR) made by a woman’s partner to companies in the UK and the US prompted a return of personal data from 25% of the firms contacted.

The security specialist making the request leveraged the terms of the GDPR to make his claim. He got in touch with dozens of companies on both sides of the Atlantic, stating in each case that he wanted information held on his fiancée. One of the data returns held his fiancée’s criminal record check.

Other responses yielded payment card and travel data, account credentials and passwords and his fiancée’s US social security number.

Researcher James Pavur put his discovery to the Black Hat conference in Las Vegas, showing how he tested the boundaries of the EU’s new data laws which came into being last year in May.

Under the GDPR, citizens in Europe may ask companies to tell them all the information those companies holds on the data subject. Individuals may also ask for their data to be deleted or amended.

When presented with a DSAR, organisations have 30 days in which to respond, at the risk of incurring regulatory sanctions and potential financial penalties.

Speaking to the BBC, Pavur said:

“Generally if it was an extremely large company – especially tech ones – they tended to do really well. Small companies tended to ignore me.

“But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”

Pavur stopped short of specifically naming and shaming companies that had handled the requests incorrectly, but he did divulge that the organisations included a UK-based hotel chain, two UK rail firms and a US-based education company, all of which had handled his partners data.

Pavur underlined how some companies had dealt well with the DSARs, citing how Tesco had asked him to provide a photo ID, and how American Airlines had noticed that he had uploaded a white space in the passport section of an online document.

Dr Steven Murdoch of University College London, highlighted the very real security worries that Pravur’s test had thrown light upon.

“Sending someone’s personal information to the wrong person is as much a data breach as leaving an unencrypted USB drive lying around, or forgetting to shred confidential papers,” he said.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.