GDPiRated – Stealing Personal Information On-and Offline

Matteo Cagnazzo, Thorsten Holz, Norbert Pohlmann

European Symposium on Research in Computer Security (ESORICS), Luxembourg, September 2019


The European General Data Protection Regulation (GDPR) went into effect in May 2018. As part of this regulation, the right to access was extended, it grants a user the right to request access to all personal data collected by a company about this user. In this paper, we present the results of an empirical study on data exfiltration attacks that are enabled by abusing these so called subject access requests. More specifically, our GDPiRate attack is performed by sending subject access requests (as demanded by the GDPR) with spoofed recipient addresses either in the on- or offline realm. Our experimental results show that entities accepting and processing offline requests (e.g., letters) perform worse in terms of ensuring that the requesting entity is the correct data subject. The worrying finding is that affected organizations send personal data to unverified requests and therefore leak personal user data. Our research demonstrates a novel attack on privacy by abusing a right the GDPR tries to protect.