[wickedlogic]

I haven't seen this reasonably addressed in any of the discussions, or org-based-presentations thus far. GDPR compliance itself basically ensures you cannot collect enough information to even defend against this type of attack vector.

[smu]

This is mentioned in the recitals: you can request additional identification, in fact you should if you can't identify the subject [1] and if you can demonstrate that you can't identify the data subject (with reasonable effort), you don't have to comply to the request. [2]

[1] https://gdpr-info.eu/recitals/no-57/

[2] https://gdpr-info.eu/art-12-gdpr/ (point 2)