The EU’s new General Data Protection Regulation (GDPR) law has increased the cybercrime threat level due to features tech companies have been forced to build into their products, experts have warned.
Jean Yang, professor at Carnegie Mellon University’s School of Computer Science (SCS), recently revealed that her Spotify account had been hacked.
Following her experience, she believes GDPR risks abuse by granting hackers a way to access more detailed information than ever before.
She said she had “discovered an unfortunate consequence of GDPR – once someone hacks into your account, they can request, and potentially access, all of your data”.
The hacker seems to have exploited what is called the subject access right. The rule allows consumers to request and download all of the information a company holds on them so they have the option of migrating it to another service.
Yang added: “Whoever hacked into my Spotify account got all of my streaming data, song data, etc. history simply by requesting it.”
The hackers also managed to get hold of information regarding her birth date, redacted credit card details, and dates/devices she had accessed Spotify from.
Yang said that even the biggest technology companies are leaving their users vulnerable to data breaches.
She said all companies should put multi-factor protection on customers’ personal data to prevent it being accessed by criminals.
She explained: “It would have been a lot better, for instance, if Spotify had made this file available only after authenticating via email.”
In a tweet, she added: “Also, if @Uber or @lyft is watching, I hope your security/privacy engineering teams are being careful with your download-all-data feature!! Would be pretty bad to get hacked and kidnapped in the same day!”