Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I doubt that a black-hat attacker is going to file a lawsuit to obtain someone else's personal information.


But what if the request is genuine?


Then the user will be authenticated by the court, and you will have to make your case that without the court's intervention, you could not be certain of the requester's identity.

This isn't black and white. It is legally ok to question the validity of GDPR data subject requests.


> I doubt that a black-hat attacker is going to file a lawsuit

If you tell someone requesting their own data under GDPR “tough luck, you lost your password,” that could invite remedies under the law.


What are they going to sue for? "I can’t identify myself but still want the data of some random person I claim to be"?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: