[mpnordland]

Point of fact: it's not the GDPR, per se, that causes companies to hand over personal information to duplicitous individuals. It's those companies poor verification and security practices.

The GDPR does create a new attack surface, in that companies now have a legal obligation to provide information. The article did not say whether or not there is a legal obligation to properly verify the identity of the requestor.

[tialaramex]

It isn't really a new attack surface because GDPR is only a refinement of previous rules. Companies inside the EU already were subject to previous iterations of this "Ask permission, don't keep stuff you don't need, tell subjects what you know, fix mistakes on request" model.

Back when I first worked for a start up, Richmond Informatics (subsequently Garlik, which was then bought by Experian) it began by doing subject data access requests for key personnel just to see what was out there. That's well over a decade ago.

And yes, they have a responsibility to ensure they only give the actual subject the data, which is tricky but if it's too hard then probably "don't keep any data" was the correct answer. "Thank you for your letter. We do not keep any data whatsoever about our users". Done.

At Experian the main theme of the training in this area was "Do not try to help, don't respond in any way except to forward everything to the special department that handles these requests".

[TearsInTheRain]

I think it is a new attack surface for any company that had the policy to never give out a user's information and is now required to give out the information.