KatsBits Community

General Category => Blog => Topic started by: kat on December 11, 2021, 03:02:07 PM

Title: GDPR & CCDA Data Phishing Scam
Post by: kat on December 11, 2021, 03:02:07 PM
UPDATE: see reply below (https://www.katsbits.com/smforum/index.php?topic=1138.msg5169#msg5169).



Owning, running or being the admin of an online property that's openly accessible to the public means being answerable to a number of privacy regulations, notably the European General Data Protection Regulation (https://gdpr-info.eu/) (GDPR) and the California Consumer Privacy Act (https://oag.ca.gov/privacy/ccpa) (CCPA), both essentially meant to give the User power to refuse or inspect what Personally Identifying Information and data might be collected while browsing the Internet. Under normal circumstance this isn't a issue as Users can be (re)directed to any available Privacy Policy (https://www.katsbits.com/privacy/) or other 'terms' document that should inform as to what may or may not be being collected and who would be responsible for it.

However, scammers, phishers & 'hackers', always looking for inroads and avenues of attack, use the legislation to formulate boiler plate inquiries to 'process phish', that is gauge points of socially engineered attack that might be ascertained from any responses given. Fortunately, genuine enquiries tend not to be formulated with so much formal specificity and can be safely ignored (search email and contact information to verify sender).

Quote
From : Mary Clark <maryclark@potomacmail.com>
Subject : Questions About GDPR Data Access Process for [domain]

To Whom It May Concern:

My name is Mary Clark, and I am a resident of Roanoke, Virginia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:

1. Would you process a GDPR data access request from me even though I am not a resident of the European Union?
2. Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
3. What personal information do I have to submit for you to verify and process a GDPR data access request?
4. What information do you provide in response to a GDPR data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding katsbits.com, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.

Sincerely,

Mary Clark

Quote
From : Victor Coutand <victorcoutand@envoiemail.fr>
Subject : Questions About CCPA Data Access Process for [domain]

To Whom It May Concern:

My name is Victor Coutand, and I am a resident of Nice, France. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

1. Would you process a CCPA data access request from me even though I am not a resident of California?
2. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
3. What personal information do I have to submit for you to verify and process a CCPA data access request?
4. What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding katsbits.com, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Sincerely,

Victor Coutand
Title: UPDATE: GDPR & CCDA Data Phishing Scam
Post by: kat on December 27, 2021, 01:32:35 PM
It appears the emails discussed above were part of an undisclosed research project that aimed to assess how GDPR and CCPA were actioned by those contacted;

Quote
Hello,

You may have recently received an email from envoiemail.fr regarding your process for responding to General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) data requests for the following domain(s): katsbits.com. Please disregard that email.
The email was sent as part of an academic research study on GDPR and CCPA, which we have concluded. We will delete all responses received on December 31, 2021. We sincerely apologize for any burdens caused by our study.

If you would like more information about the study or to contact our research team, please see: https://privacystudy.cs.princeton.edu.

Sincerely,

Princeton-Radboud Study on Privacy Law Implementation

The way this was done raises a number of questions the authors don't seemed to fully appreciate, in that for a research project that's supposed to assess compliance from a Users perspective, their enquiries were too legally specific, framed in a way that required an equally legalistic response to the query.

While thematically the questions might be pertinent, they were not framed at all from the point of view of the End User, who's only interest is in knowing what data Services Providers use and maintain, and for what purposes - this is after all who legislation like GDPR and CCPA are supposed to protect, and who are encouraged to use the legislation for that purpose. Instead the articulation was that of the legal team probing points of weakness that hold potential to be litigiously exploited in those they contacted.

In light of this, there are certainly better way to go about it than message that do indeed come across as security risks or legal threats.