The GDPR was created to give EU citizens more control over personal data. And in terms of the number of complaints, the goal was “achieved”: over the past year, Europeans have become more likely to report violations by companies, and the companies themselves have received and began to close vulnerabilities more quickly so as not to receive a fine. But “suddenly” it turned out that the GDPR is most visible and effective when it comes to either avoiding financial sanctions or the very need to comply with it. And even more - designed to put an end to personal data leaks, the updated regulation becomes their cause.
Let's talk about what's going on here.
A photo - — unsplash
What is the problem
According to the GDPR, EU citizens have the right to request a copy of their personal data that is stored on the servers of a company. Recently it became known that this mechanism can be used to collect the PD of another person. One of the participants of the Black Hat conference , during which he received archives with the personal data of his bride from various companies. He sent relevant requests on her behalf to 150 organizations. Interestingly, 24% of companies were satisfied with the email address and phone number as proof of identity - after receiving them, they returned the archive with the files. Another 16% of organizations additionally requested photos of a passport (or other document).
As a result, James managed to get a social security number and a credit card, date of birth, maiden name and address of residence of his “victim”. One service that allows you to check if an email address has been exposed in any leaks (an example of a service would be ), even sent a list of previously used authentication data. This information can become a hack if the user never changed their passwords or used them somewhere else.
There are other examples where data ended up in the wrong hands after being “erroneously” sent. So, three months ago, one of the Reddit users personal information about yourself from Epic Games. However, she mistakenly sent his PD to another player. A similar story happened last year. Amazon customer A 100 MB archive with Internet requests to Alexa and thousands of other user's WAF files.
A photo - — unsplash
One of the main reasons for the emergence of such situations, experts call the incompleteness of the General Data Protection Regulation. In particular, the GDPR names the deadlines within which the company must respond to user requests (within a month), and specifies fines - up to 20 million euros or 4% of annual revenue - for failure to comply with this requirement. However, the procedures themselves, which should help companies comply with the law (for example, make sure that data is sent to their owner), are not specified in it. Therefore, organizations have to independently (sometimes, by trial and error) build their work processes.
How can I fix the situation
One of the most radical proposals is to abandon the GDPR or radically remake it. There is an opinion that in its current form the law does not work, since it is very and unnecessarily strict, and to comply with all its requirements, you have to spend a large amount of money.
For example, last year the developers of the game Super Monday Night Combat were forced to curtail their project. According to its creators, the budget required to remake systems under the GDPR is allocated to the seven-year game.
“Small and medium-sized businesses really often do not have the technological and human resources to understand the requirements of regulators and make the necessary preparations,” comments Sergey Belkin, head of development at an IaaS provider. . “This is where large vendors and IaaS providers can come to the rescue, providing a secure IT infrastructure for rent. For example, we at 1cloud.ru place our equipment in the data center, according to the Tier III standard and help clients comply with the requirements of the Russian Federal Law-152 “On Personal Data”.
A photo - — unsplash
There is also an opposite point of view, that the problem here is not in the law itself, but in the desire of companies to fulfill its requirements only formally. One of the residents of Hacker News : the reason for the leakage of personal data lies in the fact that organizations the simplest verification mechanisms that are dictated by common sense.
One way or another, the EU is not going to abandon the GDPR in the near future, so the situation that was shed light during the Black Hat conference should serve as an incentive for companies to pay more attention to the security of personal data.
What we write about on our blogs and social networks:
1cloud infrastructure in Moscow in dataspace. This is the first Russian data center to be certified by Tier lll from the Uptime Institute.
Source: habr.com