The specific personal data processed during a penetration test largely depends on the target of the test. In general, the following categories can be distinguished:<\/p>\n\n\n\n
There\u2019s no way around it: the pentester needs contact persons. Typically, this involves processing names, job titles, business email addresses, and phone numbers \u2014 stored in emails, calendar entries, or the final report. These details are usually public anyway (e.g., in the imprint or on LinkedIn) and are solely used for communication. They are always processed but are generally considered low risk.<\/p>\n\n\n\n
As soon as the target system includes an internal network \u2014 especially one with Active Directory \u2014 it\u2019s almost impossible to avoid encountering other personal data. Names, usernames, and often password hashes or even cleartext passwords may temporarily reside on the pentester\u2019s system. This isn\u2019t accidental; it\u2019s part of the job \u2014 privilege escalation, lateral movement, domain takeovers.<\/p>\n\n\n\n
What\u2019s important here: there is no need to store personal data permanently or transfer it to the service provider\u2019s infrastructure. All data is processed locally and remains local. Only relevant excerpts are included in the report \u2014 and even then, only as much as necessary. Identities can and should be anonymized or pseudonymized.<\/p>\n\n\n\n
When production systems are tested \u2014 such as an online shop \u2014 it\u2019s possible that real customer data may briefly become visible. The aim is not to store this data but to identify vulnerabilities. For example, can unauthorized users view other customers\u2019 orders? If so, some records may be momentarily processed. This is unavoidable but kept as non-invasive as possible.<\/p>\n\n\n\n
As soon as internal or production environments are involved, a DPA should be signed. The key principle is data minimization. A penetration test is not about collecting data \u2014 it\u2019s about uncovering weaknesses. And that can be done without copying entire databases.<\/p>\n","protected":false},"excerpt":{"rendered":"
The specific personal data processed during a penetration test largely depends on the target of the test. In general, the following categories can be distinguished: 1. Customer Points of Contact There\u2019s no way around it: the pentester needs contact persons. Typically, this involves processing names, job titles, business email addresses, and phone numbers \u2014 stored … [Read more…]<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[214],"tags":[],"class_list":{"0":"entry","1":"post","2":"publish","3":"author-psauer","4":"post-3861","6":"format-standard","7":"category-data-privacy"},"_links":{"self":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/3861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/comments?post=3861"}],"version-history":[{"count":4,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/3861\/revisions"}],"predecessor-version":[{"id":3866,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/3861\/revisions\/3866"}],"wp:attachment":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/media?parent=3861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/categories?post=3861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/tags?post=3861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}