ID verification laws are fueling the next wave of breaches

ID verification laws are fueling the next wave of breaches Sponsored by Acronis November 7, 2025 10:05 AM 0 The cybersecurity community has long lived by a simple principle: Don't collect more data than you can protect. But ID laws and other legal mandates now force many organizations to store massive amounts of sensitive data, putting them in the precarious situation of dealing with information they don’t necessarily want but have to safeguard. The recent data breach involving Discord illustrates this challenge. In early October 2025, the messaging and gaming platform disclosed that cyberattackers had compromised one of its third-party customer service providers, accessing personal information from users who had contacted Discord's Customer Support or Trust and Safety teams. While the breach included typical support ticket data, including names, email addresses, IP addresses, limited billing information and customer service messages, one category of stolen data stood out: government-issued identification documents. According to Discord's official statement, the cyberattacker gained access to government ID images from users who used Discord’s partner to appeal expulsions for being underaged. The ID law dilemma Discord didn't collect these government IDs on a whim. Age verification laws are proliferating worldwide. These laws typically mandate age verification through government-issued documents, such as driver's licenses, passports or national ID cards. Failure to verify IDs can result in millions of dollars in fines. The intention is sensible: protecting minors from inappropriate online content. But for the organizations that have to collect ID data, the laws can lead to a security nightmare. Organizations now have to collect and store volumes of the most sensitive personally identifiable information possible regardless of whether they have the infrastructure to adequately protect it — or even want to collect it. The old rule of minimal data collection becomes irrelevant when the law requires maximum data collection. The cascading impact Any organization that interacts with the public, including health care providers, financial services firms, educational institutions or e-commerce sites, could find itself subject to age verification, identity verification or other regulatory requirements that mandate collecting and storing sensitive documents. Each new database of government IDs becomes a potential breach waiting to happen. When that breach occurs, the damage extends beyond immediate victims. Organizations and their partners can face regulatory penalties, litigation, reputation damage and loss of customer trust. For small and medium-sized businesses, a single significant breach involving personally identifiable information (PII) can be devastating. a.fl_button { background-color: #5177b6; border: 1px solid #3b59aa; color: #FFF; text-align: center; text-decoration: none; border-radius: 8px; display: inline-block; font-size: 16px; font-weight: bold; margin: 4px 2px; cursor: pointer; padding: 12px 28px; } .fl_ad { background-color: #f0f6ff; width: 95%; margin: 15px auto 15px auto; border-radius: 8px; border: 1px solid #d6ddee; box-shadow: 2px 2px #728cb8; min-height: 200px; display: flex; align-items: center; } .fl_lef>a>img { margin-top: 0px !important; } .fl_rig>p { font-size: 16px; } .grad-text { background-image: linear-gradient(45deg, var(--dawn-red), var(--iris)54%, var(--aqua)); -webkit-text-fill-color: transparent; -webkit-background-clip: text; background-clip: text; } .fl_rig h2 { font-size: 18px!important; font-weight: 700; color: #333; line-height: 24px; font-family: Georgia, times new roman, Times, serif; display: block; text-align: left; margin-top: 0; } .fl_lef { display: inline-block; min-height: 150px; width: 25%; padding: 10px 0 10px 10px; } .fl_rig { padding: 10px; display: inline-block; min-height: 150px; width: 100%; vertical-align: top; } .fl_lef>a>img { border-radius: 8px; } .cz-news-title-right-area ul { padding-left: 0px; } @media screen and (max-width: 1200px) { .fl_ad { min-height: 184px; } .fl_rig>p { margin: 10px 0; } } @media screen and (max-width: 1100px) { .fl_lef { width: 27%; } } @media screen and (max-width: 990px) { .fl_lef>a>img { width: 100%; } } @media screen and (max-width: 600px) { .fl_lef>a>img { width: auto; } .fl_ad { display: block; } .fl_lef { width: 100%; padding: 10px; } .fl_rig { padding: 0 10px 10px 10px; width: 100%; } } @media screen and (max-width: 400px) { .cz-story-navigation ul li:first-child { padding-left: 6px; } .cz-story-navigation ul li:last-child { padding-right: 6px; } } All-in-one integrated backup and cybersecurity platform for MSPs Acronis Cyber Protect Cloud integrates data protection, cybersecurity, and endpoint management. Easily scale cyber protection services from a single platform – while efficiently running your MSP business. Free 30-day Trial The MSP challenge Managed service providers (MSPs) get dragged by their clients into this challenge. By definition, MSPs handle sensitive data for multiple clients across various industries, each with i