AIB Right of Data Access Request Process

Posted

I recently made a GDPR Right of Data Access request to AIB (an Irish bank) and was somewhat disappointed with the process. Here is a quick writeup of what I experienced.

Making the Request

Making the request is trivial. I just had to pick the branch at which I would like to pick up my documents. The fact that I had to go to a bank to pick up the data was annoying but I guess I would have to play by their rules. Within a week I got a confirmation that my data was ready to be picked up at the selected branch. Overall I was quite impressed with the simplicity and speed of the process.

The only hiccup was really that the clerk didn't know what a GDPR Data Access Request was. However after talking to a couple of people in the office they managed to find my envelope.

Password

In the confirmation they shared the password with which my data was encrypted. It seems like a great idea to send the password separately from the data. This way if either the email or the disc was intercepted my data would not be at risk. You needed both the email and the disc to get access to my data.

Unfortunately the password was KCox2020!. Yikes! Instead of generating a random password the password was ${first:0:1}${last}${year}!. This makes the password useless against any motivated attacker because it is trivial to deduce for any request.

To make it worse the letter that accompanied the disc contained all of this information on the outside of the envelope. So much for the benefit of the two-factor.

Format

Media

To start with the data was on a CD. I don't own a CD drive anymore. Luckily a colleague lent one to me so I managed to copy of the data. I wish they just let me download the 44KiB of data.

Encryption

As promised the data was encrypted. However it was done so using the proprietary McAfee File & Removable Media Protection software. When I mounted the CD it just appeared to have a Windows executable MfeEERM.exe (and a DLL for some reason). Since I don't use Windows at work or at home I couldn't access this file very easily.

It isn't clear to me if this is allowed for GDPR requests. The following text is from GDPR Article 15(3). I don't know if this McAfee encryption is considered "a commonly used electronic form".

The information shall be provided in a commonly used electronic form.

Luckily I had an old Windows VM lying around and was able to mount a disk image. It popped up a window with a password dialog, I entered my insecure password and it mounted another partition with the single file.

File Format

My data consisted of a single XLSX file with three sheets. It would have been nice to see something simpler such as three CSV files but XLSX is common enough that it can be opened with a wide variety of free and freely available software.

Summary

Overall I managed to get the information I needed however the convenience and security could be greatly improved.

Request Process A- It was trivial to make the request and get the data.
Data Format D While I could manage to read the data it was very inconvenient.
Security C Mostly chain of custody security, the password might help if I dropped the disc somewhere.