"A script could have been easily written"
What's to guarantee that it hasn't ?
T-Mobile has crushed a bug in subsidiary MetroPCS that could have allowed attackers to steal details on any of its 10 million customers, according to reports. Cinder researchers Eric Taylor and Blake Welsh say the vulnerabilities were simple to exploit up until a patch was dropped. Motherboard exploited the vulnerabilities …
If the information could be used for financial or other advantage (including a competitor or an agent), only a matter of time before a fishing script had been or was written.
If a page needs to do lookups of private information, it would seem best to try and limit the scope of the lookups to that relevant to the user login, use session/page guard tokens, have lookup use count limits and limit the information returned by earlier step lookups to block or slow down fishing requests.
Agreed, it would be best to manage and control the data lookups. However from experience there are far too many clueless designers and developers out there that struggle with the basic mechanisms of providing the data and frankly have no comprehension of in depth security. If you don't build (good) security in from the very start it's likely to be a ball-ache to retro-fit and just as likely to be forgotten as "new stuff" usually takes priority.