What provisions are there in place for a company receiving this type of request to confirm the identity of the requesting party? Are companies expected to be able to properly identify a citizen, in order to not disclose possibly very sensitive information to someone else impersonating them? In a lot of cases the company might not even have enough information stored in order to know who the owner of a given account is. How do you prove "abc123@example.com" is Mr. Smith, if your service doesn't ask them for names? Or if it does, which Mr. Smith do you have on record? Email original senders can be spoofed.
The first thing I'd do if I was a black hat type attacker would be to submit GDPR information requests to all internet companies I could think of in behalf of all my targets.
I haven't seen this reasonably addressed in any of the discussions, or org-based-presentations thus far. GDPR compliance itself basically ensures you cannot collect enough information to even defend against this type of attack vector.
This is mentioned in the recitals: you can request additional identification, in fact you should if you can't identify the subject [1] and if you can demonstrate that you can't identify the data subject (with reasonable effort), you don't have to comply to the request. [2]
The first thing I'd do if I was a black hat type attacker would be to submit GDPR information requests to all internet companies I could think of in behalf of all my targets.