A new report by security security researcher James Pavur from the University of Oxford showed that 25% of companies tested were vulnerable to phishing due to poor understanding of GDPR legislation.
The EU General Data Protection Regulation came into force last year after a two-year notice period, and yet many companies are still not prepared to deal with the new privacy law appropriately. On the larger end of the scale, we have major firms such as British Airways and Equifax not securing customer personal information against breaches and being hit with record fines in the millions.
Most small companies aren't aware of their legal responsibilities under GDPR or aren't prepared to deal with them, and now it looks like it's mid-sized companies that are most at risk of phishing attempts. That's the finding of security researcher James Pavur from the University of Oxford's Department of Computer Science, which he recently presented at cyber-security conference Back hat in Las Vegas.
Pavur attempted phishing attacks against 83 companies from the UK and US known to hold data on his fiance, creating a fake email account in her name and sending a GDPR "right of access" request to each company to ask for all the data they were storing on her. He found that the smaller companies had no idea about GDPR and ignored his requests and the larger firms generally processed the request correctly, but mid-sized companies tended to fall for the phishing attempt.
Before complying with an access request, companies are obligated to verify the identity of the individual in a secure way. Most large firms had these policies and procedures in place, asking for passport scans and refusing to release information without them. Several firms were convinced to accept easily faked evidence such as letters sent to his fiance's address or redacted bank statements.
Overall, 24% of firms provided details without correctly identifying Pavur's identity and 16% asked for weak ID types that are easily forged by an attacker, with only 39% asking for the correct strong ID type such as a passport. A further 13% simply ignored the request, 5% lied and said they held no data on the subject, and 3% misunderstood the request as a "right to erasure" request and deleted the data.
Releasing personal data without correctly verifying the subject's identity is itself a data breach under GDPR, and small to medium sized firms without proper GDPR policies in place will potentially opening themselves up to data protection investigations they may not be equipped to handle.
Source: BBC News
