From Shield to Sword: How Data Privacy Can Undermine Data Security

Abstract

What is the point in hacking computer systems when organizations voluntarily disclose personal data to anyone who asks convincingly? We show that the European GDPR is paradoxically exploitable for identity theft despite being designed to protect personal data. Subject access requests (SARs) according to its “right of access” (Article 15) can be weaponized by impersonating a victim and submitting fraudulent SARs in their name. We task attackers with stealing the personal data of three volunteers (highly privacy aware person, average user, and semipublic figure) in a real-world setting. These attacks could be replicated by just about anyone. Yet, they obtained sensitive personal data, including addresses, phone numbers, national ID and bank account information, and insurance data. Based on 718 submitted SARs and 21 interviews with data protection officers, we tell a frightening, yet fascinating story of how these identity thefts unfold, expose flaws in how organizations process SARs, and uncover a systemic weakness in the GDPR. We analyze the underlying factors enabling such attacks, assess their real-world impact, and explore mitigation options for individuals, organizations, and lawmakers. Our insights have important implications for how data privacy and data security interrelate and how we manage and regulate them.