Will GDPR breed a new type of phish?

The uncertainty about the new rights of data subjects will open the door to identity phishing as social engineers leverage the fear of landmark fines.

The General Data Protection Regulation is set to land on 25th May 2018 – but with many large enterprises still overstating their readiness, it seems likely that smaller firms are a long way behind the curve, with some estimates suggesting only one-in-four SMEs are working towards compliance.

Press coverage has largely sensationalised two key areas – the huge potential fines for non-compliance and the new rights for data subjects to access and even have control over their personal information.

The current nominal £10 charge for data access will no-longer be permitted – and individual rights have snowballed under the new legislation:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erase.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision making and profiling.

There is a huge push for transparency – which means not only do data controllers have to provide the data on request, they also have to provide under Article 13:

1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
2. the contact details of the data protection officer, where applicable;
3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
5. the recipients or categories of recipients of the personal data, if any;
6. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
7. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
8. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
9. where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
10. the right to lodge a complaint with a supervisory authority;
11. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
12. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

A social engineer’s dream

This new cocktail of rights, and the huge sting in the tail of a potentially eye-watering fine for non-compliance is going to be a social engineer’s dream.

Armed with limited information on a subject – a malicious caller could request information on that subject’s record, using the threat of a huge GDPR fine if they don’t get exactly what they’re demanding.  For smaller businesses without the luxury of a trained, dedicated team in place to handle such requests, the odds are that firms will make mistakes and release information they shouldn’t.

Even if the information held might appear mundane – to a social engineer it will help them leverage an attack against their next victim. An order history, for example, might be used to confirm identity with a bank (“yes, I paid £26.92 on 15th December to J. Bloggs & Co”).

Your actual obligations under GDPR

The devil, as always, is in the detail – and Data Protection Officers must take note of the following from Article 12:

1. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
2. Where the controller has reasonable doubts concerning the identity of the natural person making the request…, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

So, you can sometimes charge a fee, you can sometimes refuse vexatious requests – and more importantly you can request whatever information you need to satisfy yourself you are speaking to the right person.

The strengthening of data subject rights will be a big change for many businesses – but with a little planning and effort it doesn’t have to be a breeding ground for a new form of identify fraud.