Which is why you farm off stuff like this to third parties whenever possible
DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).
But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And… then everyone will just use ZZendesk instead
Well, yeah. Discord isn’t exactly at fault here, they’re operating as best they can within the boundaries of a piece of legislation that could be best described as gods gift to the “I-told-you-so” crowd. This breach is exactly what everyone was warning would happen with the UK ID laws, and discord got stung first as they’re one of the few companies trying to adhere to the law in good faith (which, yes, why in hell they’re trying to do this is good faith is a very good question)
In my opinion, they’re still somewhat at fault, because this was them failing to find and configure their software to work with a third-party identity provider who’s infrastructure was built to handle the security of sensitive information, and just choosing to use email through Zendesk because it was easier in the meantime. A platform that I should note has been routinely accessed again and again by attackers, not just for Discord, but for all sorts of other companies.
The main problem is that legislation like the Online Safety Act require some privacy protections, like not collecting or storing certain data unless necessary, but they don’t require any particular security measures to be in place. This means that, theoretically, nothing stops a company from passing your ID to their servers in cleartext, for example.
Now compare this to industries like the credit card industry, where they created PCI DSS, which mandates specific security practices. This is why you don’t often see breaches of any card networks or issuers themselves, and why most fraud is external to the systems that actually process payments through these cards. (e.g. phishing attacks that get your card info, or a store that has your card info already getting hacked)
This is a HUGE oversight, and one that will lead to things like this happening over and over unless it becomes unprofitable for companies to not care.
While there’s plenty of merit to what you’re saying, I’m too sick to have a coherent thought beyond maybe pointing out that the main issue with legislation like this isn’t that it doesn’t specify security requirements, but that it’s forcing people who do not have infrastructure established to collect and manage sensitive info of this nature in the first place.
Discord never set out to collect this much PII, and as far as I’m aware there’s never been a breach of their payment information processing. Like you say, it’s an established thing to handle payments and is fairly routine to implement. There is no routine method of handling ID verification yet, and the solutions that exist were forced to be developed rapidly and with no standards.
The legislation is at fault for putting people in this situation - that they used Zendesk was a boneheaded move (I haven’t seen details of the breach, was that really the vector that got attacked?) and sure, they’re at some degree of fault for letting this happen. But the vast majority of the blame lies at the feet of the asinine legislation that all but explicitly mandated that this situation arise.
Oh, of course the legislation is to blame for a lot of this in the end. I’m just saying that Discord could have already partnered with a number of identity verification services that do already have this infrastructure up and running, with standardized and documented ways to call their APIs to both verify and check the verification of a user.
At the end of the day, Discord chose to implement a convoluted process of having users email Discord, upload IDs, then have Discord pull the IDs back down from Zendesk and verify them, rather than implementing a system where users could have simply gone to a third-party verification website, done all the steps there, had their data processed much more securely, then have the site just send Discord a message saying “they’re cool, let 'em in”
Literally days ago i was accessing a nsfw channel and i got “well, you should send to us your ID and things so i can verificate you” and i thought “no way! I don’t want to give my infos, if they have a data breach we are all doomed” and i ignore, well i don’t want to say “i told you so” but…
Which is why you farm off stuff like this to third parties whenever possible
DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).
But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And… then everyone will just use ZZendesk instead
Well, yeah. Discord isn’t exactly at fault here, they’re operating as best they can within the boundaries of a piece of legislation that could be best described as gods gift to the “I-told-you-so” crowd. This breach is exactly what everyone was warning would happen with the UK ID laws, and discord got stung first as they’re one of the few companies trying to adhere to the law in good faith (which, yes, why in hell they’re trying to do this is good faith is a very good question)
In my opinion, they’re still somewhat at fault, because this was them failing to find and configure their software to work with a third-party identity provider who’s infrastructure was built to handle the security of sensitive information, and just choosing to use email through Zendesk because it was easier in the meantime. A platform that I should note has been routinely accessed again and again by attackers, not just for Discord, but for all sorts of other companies.
The main problem is that legislation like the Online Safety Act require some privacy protections, like not collecting or storing certain data unless necessary, but they don’t require any particular security measures to be in place. This means that, theoretically, nothing stops a company from passing your ID to their servers in cleartext, for example.
Now compare this to industries like the credit card industry, where they created PCI DSS, which mandates specific security practices. This is why you don’t often see breaches of any card networks or issuers themselves, and why most fraud is external to the systems that actually process payments through these cards. (e.g. phishing attacks that get your card info, or a store that has your card info already getting hacked)
This is a HUGE oversight, and one that will lead to things like this happening over and over unless it becomes unprofitable for companies to not care.
While there’s plenty of merit to what you’re saying, I’m too sick to have a coherent thought beyond maybe pointing out that the main issue with legislation like this isn’t that it doesn’t specify security requirements, but that it’s forcing people who do not have infrastructure established to collect and manage sensitive info of this nature in the first place.
Discord never set out to collect this much PII, and as far as I’m aware there’s never been a breach of their payment information processing. Like you say, it’s an established thing to handle payments and is fairly routine to implement. There is no routine method of handling ID verification yet, and the solutions that exist were forced to be developed rapidly and with no standards.
The legislation is at fault for putting people in this situation - that they used Zendesk was a boneheaded move (I haven’t seen details of the breach, was that really the vector that got attacked?) and sure, they’re at some degree of fault for letting this happen. But the vast majority of the blame lies at the feet of the asinine legislation that all but explicitly mandated that this situation arise.
Oh, of course the legislation is to blame for a lot of this in the end. I’m just saying that Discord could have already partnered with a number of identity verification services that do already have this infrastructure up and running, with standardized and documented ways to call their APIs to both verify and check the verification of a user.
At the end of the day, Discord chose to implement a convoluted process of having users email Discord, upload IDs, then have Discord pull the IDs back down from Zendesk and verify them, rather than implementing a system where users could have simply gone to a third-party verification website, done all the steps there, had their data processed much more securely, then have the site just send Discord a message saying “they’re cool, let 'em in”
Literally days ago i was accessing a nsfw channel and i got “well, you should send to us your ID and things so i can verificate you” and i thought “no way! I don’t want to give my infos, if they have a data breach we are all doomed” and i ignore, well i don’t want to say “i told you so” but…