The cybersecurity community has long lived by a simple principle: Don't collect more data than you can protect. But ID laws and other legal mandates now force many organizations to store massive amounts of sensitive data, putting them in the precarious situation of dealing with information they don’t necessarily want but have to safeguard.
The recent data breach involving Discord illustrates this challenge. In early October 2025, the messaging and gaming platform disclosed that cyberattackers had compromised one of its third-party customer service providers, accessing personal information from users who had contacted Discord's Customer Support or Trust and Safety teams.
While the breach included typical support ticket data, including names, email addresses, IP addresses, limited billing information and customer service messages, one category of stolen data stood out: government-issued identification documents.
According to Discord's official statement, the cyberattacker gained access to government ID images from users who used Discord’s partner to appeal expulsions for being underaged.
The ID law dilemma
Discord didn't collect these government IDs on a whim. Age verification laws are proliferating worldwide. These laws typically mandate age verification through government-issued documents, such as driver's licenses, passports or national ID cards.
Failure to verify IDs can result in millions of dollars in fines. The intention is sensible: protecting minors from inappropriate online content. But for the organizations that have to collect ID data, the laws can lead to a security nightmare.
Organizations now have to collect and store volumes of the most sensitive personally identifiable information possible regardless of whether they have the infrastructure to adequately protect it — or even want to collect it. The old rule of minimal data collection becomes irrelevant when the law requires maximum data collection.
The cascading impact
Any organization that interacts with the public, including health care providers, financial services firms, educational institutions or e-commerce sites, could find itself subject to age verification, identity verification or other regulatory requirements that mandate collecting and storing sensitive documents.
... continue reading