• by Ray Schultz , Columnist, August 9, 2019

GDPR is failing to protect people.

Security expert James Pavur contacted 83 firms in the U.S. and UK and asked for the data they had on his fiancee.  

He sure got it. They gave 10-digit credit card numbers, travel activity, passwords and her Social Security number — 60 details in all, Pavur said at this week’s Black Hat conference, according to BBC.

Worse, 24% the requested information without verifying Pavur’s identity. And 16% simply asked for a type of ID that could be easily forged and that Pavur did not even bother to provide.

One advertising firm posted his request letter to the internet, including his fiancee’s name, address, email and phone number.

This itself was a breach, he said. Only 39% asked for a strong ID.

Pavur had his fiancee’s permission to conduct the experiment. But think of it: GDPR is supposed to protect individuals from this kind of fishing expedition. The right to access data does not extend to a person’s fiancee or to third parties to all.

What if the requester was a stalker, a jilted lover or someone trying to wreck a potential marriage?

"Sending someone's personal information to the wrong person is as much a data breach as leaving an unencrypted USB drive lying around, or forgetting to shred confidential papers,” said Steven Murdoch or University College London, BBC reports.

The bigger firms did better.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," Pavur said, according to the BBC.

Among the best performers were Tesco, Bed, Bath & Beyond and American Airlines. These brands either demanded a photo ID or a telephone interview and AA challenged Pavur because he uploaded a blank passport image to its online form.

But others didn’t do as well, Pavur says. For instance, a UK hotel chain provided a record of his fiancee’s overnight stays. Two UK railroads gave him a roundup of all her trips over several years.

And in the U.S., an education company gave up her high school grades, mother’s maiden name and the results of a criminal background check, BBC continues.

American companies are not, in theory, governed by GDPR. But they are subject to it if they hold data on EU citizens or residents.

This raises the question of how a company can surrender data of this type when it knows it can be held accountable -- and why are firms maintaining such data and not scrapping it after an appropriate period.

According to Pavur, 3% claimed they had deleted all his fiancee’s data. But he feels they misinterpreted the request.

The takeaway? Companies had better improve their process. Failing that, expect a flood of litigation — from EU jurisdictions and private victims, both women and men.