The funny thing about this is that it kinda makes it OK for Discord to still have the records. But...
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.
There is no reason for a company like Discord to ever see the ID. The owner of each relevant form of ID — usually a government agency/department — should provide an attestation service, such that users prove their identity to the agency and the agency tells the company "yes, this user is who they say they are".
It's not that hard. Legislators around the world are consistently dropping the ball on this.
Doesn't seem like they did. From the original article I referenced earlier:
One of Discord’s third-party customer service providers was compromised by an “unauthorized party,” the company says. [...] The unauthorized party “did not gain access to Discord directly.”
When governments do things the wrong way around, like mandating age control before they have a method for doing that in a secure manner, what's a company to do?
Good question. I'm not primarily blaming Discord or the other company for this (even though they both obviously share some responsibility, too) — I'm blaming government/legislators. I'm arguing that the government agencies/departments that own the relevant forms of ID should have been required to develop the capability to facilitate this sort of secure ID verification _years_ ago. Instead policy makers ignored reality and rushed through this legislative hatchet job... and here we are yet again. As anybody who's been awake during the last few decades could have predicted.
Tangent: I've regularly been required to provide copies of my ID to all kinds of businesses simply to function in society — i.e. in practice there is no realistic option to opt out. Want to rent a house? X points of ID. Want a phone? X points of ID. Pretty much every real estate agency in town has copies of at least my driver licence. And they in turn share my details with tenant database companies, credit reporting agencies and so on. Do you think many of these businesses have good data handling practices? Of course they don't. And so all my details are available for purchase in bulk data sets on the dark web, and get refreshed by new data breaches every few years. And yet government still treats it as somehow unexpected each time this happens, or wags its finger and bemoans those naughty criminals, instead of developing any kind of policy that would start to address the underlying issue... which is that our personal details are spread so far and wide in the first place.
1. Discord still got hacked despite being a company that must have passed some level of authorised audit in order to be able to store government ID cards. (who audits the auditors? Is there an independent rating of security audit companies? What was the vulnerability? Was there any Government due diligence?)
2. This is a great example of why "something else" is needed for proof of identity transactions over the wire, and this "something else" should exist, and have existed for long enough to develop a level of trust, before Governments start mandating that private companies audited by other private companies must undertake actions that require the storage of Government ID documents. Banking level security and regulation should be required for any aggregator of such sensitive data. That fucking Discord had Government ID docs at all is beyond ridiculous. More-so for Governments of countries other than where Discord was incorporated. A state-sponsored Russian / Chinese / North Korean / Iranian / <other> Discord-alternative would have been an interesting situation. The implicit trust in Discord, and any other "app publisher" requiring ID confirmation is just peculiar.