As someone who work with GDPR , reading this article makes me cringe!
First of all, it is not clear to what type of orgnaisatiosn the SAR requetss were sent. Is it all US Organisations or EEA organisations.
If its EEA organisations, i would like to see percentige of how many provided data without reasonable checks.
As someone coming from UK data protection perspective, the Data Protection laws ecsisted from 1988. The last Data Protection Legislation was 1998. Yes, i agree some irganisatiosn have bad practises, but thats not due to lack of clarity from legislation (as the COde or practice and guidance on legislation is provided by the supervisory authority in UK case ICO.)
I think this is an issue with oirganisations either having as their DPO/Data Protection advisor, someone who never done the job or getting a bad advice from lawyers.
If you read any guidance from the ICO, on identification they state the following:
"If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information."
So if the requesT came via emai, asking for confirmation if we hold data, and the request came from email name.lastname@hotmail.com and we had this email address on recrod belonging to that individual, we have to ascertain if this is the data subject.
We can reasonably say yes it is, so we can confirm we have their data.
If we dont have hold that email address on record and we have doubts, we would either ask for more information or ask for ID.
However if we are a marketing organisation, asking for an ID is excessive, as we dont have those details to verify their ID agains. So you wold have to use the data you have as a verification.
It all comes down to what data you hold and for what purposes.
If i hold Social Security Number etc, and this is requested, i would ask for ID.