Thanks for the kind words!

I won’t take credits for the template, I have used the one found here: https://www.datarequests.org/blog/sample-letter-gdpr-erasure-request/

Eh, the thing is I made the formal request using data deletion module, but I just assumed that’s what the support person asked the development person (“team”), assuming it was not the same person for both!

Congratulations on completing this!

I have indeed moved most accounts to individual aliases. I used to use the same username and similar emails (perhaps grouped like shops@mydomain), but I got no benefit and the username allowed unnecessary correlations.

So alias + random username and I will have much much less trouble in the future. Hopefully!

You are right and what some people miss is that social engineering being the vector to gain foothold doesn’t mean that it was sufficient to allow the breach. Almost always you need some other weakness (or a series of them). Except when the weaknesses are so had that you don’t need a foothold at all (like this case), or when the social engineering gives you everything (rare, but you might convince you someone to give you access to data etc.).

A whole separate conversation is deserved by how effective (or not) social engineering training is. Quite a few good papers about the topic came out in the last fee years.

Social/Political problems need social/political solutions, not technical solutions.