Exploiting Data Subject Access Rights under New Privacy Laws

Presented at Diana Initiative 2019, Aug. 10, 2019, 3 p.m. (60 minutes)

The ability to request access to all the personal information a company has on an individual under new privacy laws such as the GDPR and CCPA has created new attack vectors for social engineering. These personal data access requests are usually managed by legal or compliance teams with minimal security review, increasing the potential for successful phishing, OSINT, and “legal DDoS.” This talk will discuss the personal data access options required in different regions, how most companies respond to data access requests, and the most effective exploits for privacy vulnerabilities. We’ll explore the psychology driving corporate responses to requests and ways these emotions can be exploited, as well as the most likely targets for a weak privacy program. A cheatsheet with key sections of the laws you need to know for successful exploits will be included.

Presenters:

• Amber Welch - Privacy Technical Lead at Schellman & Company
  Until she’s accepted for a Mars mission, Amber Welch is pursuing the advancement of personal information privacy and data protection as a Privacy Technical Lead for Schellman & Company. Amber has been assessing corporate privacy compliance programs for the past year and prior to that, managed security and privacy governance for a suite of SaaS products. She has previously worked in companies creating ERP, CRM, event planning, and biologics manufacturing software.

Links:

• https://dianainitiative2019.busyconf.com/schedule#activity_5c8fb501e3c4f7c0a6000120

Similar Presentations:

• LayerOne 2019 / Data Access Rights Exploits under New Privacy Laws
• HushCon East 2019 / Data Access Rights Exploits Under New Privacy Laws
• GrrCON 2019 / Data Access Rights Exploits under New Privacy Laws