-
A data breach at Discord, which was storing IDs for age verification, has exposed the data of over 68,000 Australians.
-
Australia’s privacy commissioner warns this incident highlights the inherent risks of collecting sensitive identity documents for new social media age bans.
-
Regulators admit they lack the power to proactively investigate how tech companies handle user data under the new law.
A major data breach has hit a popular chat app. It happened just before the new teen social media rules began.
The incident exposed tens of thousands of IDs. Privacy officials say it’s a warning sign.
A Warning Shot Before New Social Media Rules
A major data breach at Discord has exposed the personal information of more than 68,000 Australians. The timing is causing major concern. This is because the exposed data was collected to verify users’ ages.
Now, the country’s only a month out from rolling out a “social media minimum age” ban, which will block anyone under 16 from having an account. It will likely require many users to prove their age.
Australia’s Privacy Commissioner, Carly Kind, stated the breach proves the “risks” of collecting IDs. She acknowledged the public doesn’t trust tech companies with their data. Her agency is preparing to investigate how platforms implement the new rules.
The breach affected users who had contacted Discord’s customer service. This included people who appealed the app’s age determination. To do so, they submitted sensitive documents like passports or driver’s licenses.
Discord reported the breach to authorities. It confirmed that 346 Australians faced a serious risk of harm from the exposure.
Looming Ban Raises Privacy Stakes
Commissioner Kind called the breach an example of increased privacy risk. She said it confirms concerns about the upcoming age assurance scheme. The new law has strict rules for handling this data.
It prohibits companies from using age-check data for any other purpose. They are also required to destroy the information as soon as possible. Kind’s own guidance urges platforms to use “low-intrusion” methods first.
This means checking the age of an existing account before asking for an ID. But Kind admits many Australians doubt companies will follow these rules.
She said, “I totally recognize that these are companies in which the Australian public doesn’t have a high degree of trust already.” She added that regulators exist to ensure trustworthiness in the system.
However, a major challenge exists. The privacy commissioner does not have the power to proactively investigate companies. Her office can only react to public complaints or information that becomes public.
This means they must wait for a problem to be reported. They cannot routinely check if companies are handling data responsibly. Kind has previously raised this limitation with the government.
The regulator also faces a classic David-and-Goliath scenario. A small agency is tasked with overseeing some of the world’s most powerful tech firms. Kind said her office is “well acquainted with” this kind of challenge.
Even with all these challenges, she’s still confident her agency can handle things. What really worries her is pretty basic: the more personal info you collect, the bigger the privacy risks. The Discord breach serves as a stark, real-world example of that danger.
