An Oxford University scholar says he was able to trick dozens of European companies into sending him sensitive data about his fiancée, simply by impersonating her while invoking GDPR’s “Right of Access” policy.

Doctor of philosophy student James Pavur, who presented his research findings Thursday at the Black Hat conference in Las Vegas, exploited the policy last February by creating a fake email address from which he sent emails to 150 companies under the assumed identity of his future wife. The email asked the businesses to disclose any personal data they had collected on her. The companies were obligated to respond under the terms of the GDPR regulatory framework.

Of the 150 companies, 84 of them affirmed that they were storing information on her. From among that smaller subset, only 39 percent of businesses insisted that Pavur first verify his identity by presenting a strong form of identification that would be difficult for him to forge, like a passport.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.