It's not about an attack vector (which may be uncommon or unexpected) but about a basic process for handling information requests. If you're a data controller, there are a few duties you must satisfy, and handling these requests is a mandatory part.
If you're not prepared (whatever that means in your organization) to receive and answer information requests from customers, then you're not prepared to meed GDPR requirements.
If a company had a reasonable process for identity verification in place, and that process was circumvented by an attacker, then I (and most likely the regulator) would consider that as trying and failing, which is generally not punishable but mandates improvements. However, if the company didn't have any process in place (which seems to be the case in many of these examples) and "just happened" to fail, then I (and, again, most likely the regulator) would consider that as negligence, because they had an explicit duty to "use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers" and did not. The question essentially comes down to "were the measure they used reasonable?"; if you spend a little time thinking about it beforehand you generally get to something reasonable, but if a random employee tries to wing it when the first request comes, then it's plausible that the result will not be reasonable.
And, regarding "Does your DSR plan also have to prevent spearphishing your DBAs?" the answer is not clearly negative - GDPR does require you to take reasonable means to ensure data security, and that could involve taking some steps to both reduce the risk of spearphishing DBAs and steps to ensure that DBAs don't get unlimited unlogged unsupervised access to private data; in any case if a breach occurs by spearphishing your DBAs, you'd need to demonstrate to the regulator that you did take reasonable measures and this wasn't because of pure negligence.
If you're not prepared (whatever that means in your organization) to receive and answer information requests from customers, then you're not prepared to meed GDPR requirements.
If a company had a reasonable process for identity verification in place, and that process was circumvented by an attacker, then I (and most likely the regulator) would consider that as trying and failing, which is generally not punishable but mandates improvements. However, if the company didn't have any process in place (which seems to be the case in many of these examples) and "just happened" to fail, then I (and, again, most likely the regulator) would consider that as negligence, because they had an explicit duty to "use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers" and did not. The question essentially comes down to "were the measure they used reasonable?"; if you spend a little time thinking about it beforehand you generally get to something reasonable, but if a random employee tries to wing it when the first request comes, then it's plausible that the result will not be reasonable.
And, regarding "Does your DSR plan also have to prevent spearphishing your DBAs?" the answer is not clearly negative - GDPR does require you to take reasonable means to ensure data security, and that could involve taking some steps to both reduce the risk of spearphishing DBAs and steps to ensure that DBAs don't get unlimited unlogged unsupervised access to private data; in any case if a breach occurs by spearphishing your DBAs, you'd need to demonstrate to the regulator that you did take reasonable measures and this wasn't because of pure negligence.