diff --git a/scipost/views.py b/scipost/views.py
index 687dcd50edd0d16f924c48dc64aa4ec85e9964ee..4af50e1ab02c86a442c2f3a0e114eec79d417ac3 100644
--- a/scipost/views.py
+++ b/scipost/views.py
@@ -1120,6 +1120,9 @@ def update_personal_data(request):
             return render(request, 'scipost/acknowledgement.html', context)
     else:
         user_form = UpdateUserDataForm(instance=contributor.user)
+        # Prevent exploit of gaining view on self-authored submissions by changing surname.
+        user_form.fields['last_name'].widget.attrs['disabled'] = True
+        # Surname can only be changed through the admin.
         cont_form = UpdatePersonalDataForm(instance=contributor)
     return render(request, 'scipost/update_personal_data.html',
                   {'user_form': user_form, 'cont_form': cont_form})