This is why there's so much focus (or supposed to have been) on *process*. It's easy to point fingers at GDPR, and it has it's role to play, but the underlying flawed policies/processes that caused this are the company's doing
https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/ via @theregister