However, as far as I can tell, these companies have done the opposite and _breached_ the GDPR by failing to keep personal data safe, as the GDPR itself requires, in the process of handling a data access request (as happens to be mandated by the GDPR).
I don't see how this is a problem with the GDPR itself. It _is_ a problem with how some companies have implemented it.
According to the article, the researcher says that "lawmakers need to set a standard for what is a legitimate form of ID for GDPR requests".
I'm not sure I want this. I want companies to remain liable for data breaches even if they come from illegitimate data access requests. A single standard won't suit all situations.
Maybe things will improve with time as people learn from episodes like this. Or maybe not.
Giving out data to someone other than the data subject is a data breach.
If you can't identify the subject positively you don't give out the data.
You document this - it is not like you get an instant fine without anybody asking you about what was going on.
This is not YouTube or PayPal or Twitter banning your account without a chance to talk to someone. Before you get a fine someone will talk to you. If you get a fine you can appeal. It is not instant 4% of you income decucdet automatically from you account.
Without any reasonable way to distinguish between legitimate requesters and attackers, their options are to not provide the information to someone who may be the right person or to provide it to someone who may be the wrong person. If both of those are illegal that implies it's impossible to comply with the law.
If you need identity data than verify identity. Most companies dont and then they should not store it.
This is already the case in banking i dont see a reason why other companies think they shouldnt need to do this.
The problem is that there is data which is personally identifying and yet not useful to authenticate the user, and that information may be necessary for the operation of the service.
> This is already the case in banking i dont see a reason why other companies think they shouldnt need to do this.
What banks do is to know the identity of all their users. Requiring sites to do that is the exact opposite of the apparent purpose of this law, so it would be a massive farce if that was the only way to comply with it.
The article also jumps to the same troubling conclusion: That the law is deficient because it failed to make provision for greedy data hoarders to continue without changing their business.
In my opinion the law is working as intended, and requiring extreme security precautions around the hoarding of personal data. If a few companies with abusive business models become non-viable in the process, that's a side benefit