How GDPR Can Affect And Cause Personnel Data Leaks!
The GDPR was created to give EU citizens more control over personal data. And in terms of the number of complaints, the goal was “achieved”: over the past year, Europeans began to report more often violations by companies, and the companies themselves received many instructions and began to quickly close vulnerabilities in order not to get a fine. But “suddenly” it turned out that the GDPR is most noticeable and effective when it comes to either evading financial sanctions or the very need to comply with it. And even more – designed to put an end to leaks of personal data, updated regulation becomes their cause.
What is the problem
According to the GDPR, EU citizens have the right to request a copy of their personal data that is stored on the servers of a company. Recently it became known that this mechanism can be used to collect PD of another person. One of the Black Hat conference participants conducted an experiment during which he received archives with his bride’s personal data from various companies. He sent relevant requests on her behalf to 150 organizations. Interestingly, 24% of companies had enough email address and phone number as an identity card – after receiving them, they returned the archive with the files. About 16% of organizations additionally requested photos of a passport (or another document).
As a result, James managed to get a social security number and a credit card, date of birth, maiden name and address of residence of his “victim”. One service that allows you to check whether the e-mail address is “lit up” in any leaks (may I have pwned? For example) even sent a list of previously used authentication data. This information can cause hacking if the user has not changed passwords or used them somewhere else.
There are other examples where the data fell into the wrong hands after an “erroneous” sending. So, three months ago, one of the Reddit users requested personal information about himself from Epic Games. However, she mistakenly sent his PD to another player. A similar story happened last year. An Amazon client accidentally received a 100-megabyte archive with Internet requests to Alexa and thousands of WAF files from another user.
One of the main reasons for the occurrence of such situations, experts call the incompleteness of the General Data Protection Regulation. In particular, the GDPR names the time frame during which the company must respond to user requests (within a month), and indicates fines – up to 20 million euros or 4% of annual revenue – for not fulfilling this requirement. However, the procedures themselves, which should help companies comply with the law (for example, make sure that data is sent to their owner), are not specified in it. Therefore, organizations have to independently (sometimes, by trial and error) build their work processes.
How to fix the situation
One of the most radical proposals is to abandon the GDPR or radically alter it. It is believed that the law does not work in its current form, since it is very complex and too strict, and a large amount of money has to be spent on meeting all its requirements.
For example, last year the developers of the Super Monday Night Combat game were forced to curtail their project. According to its creators, the budget needed to remake systems for GDPR exceeded the budget allocated to the seven-year game.
“Small and medium-sized businesses really often do not have the technological and human resources to understand the requirements of regulators and make the necessary preparations,” comments Sergey Belkin, head of development department of IaaS provider 1cloud.ru. – Here, large vendors and IaaS providers who rent secure IT infrastructure can come to the rescue. For example, we place our equipment in 1cloud.ru in data centers certified according to the Tier III standard and help customers meet the requirements of the Russian Federal Law-152 “On Personal Data”.
There is an opposite point of view that the problem here is not in the law itself, but in the desire of companies to fulfill its requirements only formally. One of the residents of Hacker News noted: the reason for the leakage of personal data lies in the fact that organizations do not implement the simplest verification mechanisms, which are dictated by common sense.
One way or another, in the near future the EU is not going to abandon GDPR, so the situation that was shed light on during the Black Hat conference should serve as an incentive for companies to pay more attention to the safety of PD.