Identity documents used to verify users’ ages have been caught up in a major data breach at messaging platform Discord, heightening privacy fears just weeks before Australia’s social media age ban takes effect.
Discord last week revealed that it had been the victim of a data breach, with hackers compromising a third-party customer service provider used by the company.
The third-party, 5CA, was used by Discord to help with customer service, and fielded complaints related to the company’s age verification process.
This may have included complaints about failed age verification attempts, and involved users providing documents to the third-party provider.
Discord confirmed that the data involved included government-ID images, along with names, usernames, email addresses, limited billing information including the last four digits of credit cards, and messages with customer service agents.
The hackers have since reportedly shared examples of the data they obtained, including selfies of Discord users holding their government IDs.
Selfies for age verification
Discord earlier this year started requiring users in the United Kingdom to upload a selfie with their ID after the Online Safety Act came into effect in July, which imposed a legal duty on online services to protect children from harmful content.
The hackers have claimed to have more than 2 million similar images, but this has been rejected by Discord, with a spokesperson saying this was part of an “attempt to extort a payment from Discord”.
“We will not reward those responsible for their illegal actions,” the spokesperson told The Verge.
“All affected users globally have been contacted, and we continue to work closely with law enforcement, data protection authorities and external security experts.
“We’ve secured the affected systems and ended work with the compromised vendor.
“We take our responsibility to protect your personal data seriously and understand the concern this may cause.”
The data breach has raised concerns with the collection of highly personal information and identification as part of schemes requiring tech companies to verify the age of their users.
The Discord hack did not breach a third-party provider of age assurance services, but rather a third-party company assisting with customer service in relation to age verification processes.
Australia’s social media age ban
There have been data protection and privacy concerns surrounding Australia’s impending social media age ban, which comes into effect in two months.
The Office of the Australian Information Commissioner (OAIC) late last week issued guidance for tech companies impacted by the new scheme, outlining their “stringent legal obligations” to ensure the age ban is implemented using “privacy-respecting approaches”.
“We’re putting age-restricted social media platforms on notice,” Privacy Commissioner Carly Kind said.
“The OAIC is here to guard and uplift the privacy protections for all Australians by ensuring that the age assurance methods used by age-restricted social media platforms and age assurance providers are lawful.”
The guidelines state what is “out-of-bounds” in terms of personal data handling in relation to the scheme, and states that it is “not a blank cheque to use personal or sensitive information in all circumstances”.
It outlines that tech firms must minimise the inclusion of personal and sensitive information, and that the personal information must be destroyed after it has been used for its intended purpose.
The federal government’s trial of age assurance technology on offer found that some providers were “over-anticipating” the need to retain data under such a scheme, in case it was needed for investigations or legal cases, and that this “increased risk of privacy breaches”.
There has been a series of high-profile and significant data breaches impacting Australians in recent months.
Over the weekend, hackers who targeted Qantas posted what appeared to be 153GB of customer data on the dark web, following through on an earlier threat.
The hackers exploited a third-party call centre in July and gained access to Qantas customer data, and have now allegedly dumped the five million customer records online.
Qantas has told customers that this data includes customer names, email addresses, phone numbers, birth dates and Frequent Flyer numbers.
