Discord blamed a vendor for its data breach — now the vendor says it was ‘not hacked’

5CA is a customer service support company that works with Discord. Recently, the chat platform said the vendor had been breached as part of a “security incident” where 70,000 government ID photos may have leaked. Now, 5CA says in a post on its website that it was “not hacked.”

According to Discord, “this incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams,” and “of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.” The company said that (emphasis Discord’s) “this was not a breach of Discord, but rather a breach of a third party service provider, 5CA, that we used to support our customer service efforts.”

However, on its website, 5CA shared its own statement, which I am including in full below (with emphasis 5CA’s):

We are aware of media reports naming 5CA as the cause of a data breach involving one of our clients. Contrary to these reports, we can confirm that none of 5CA’s systems were involved, and 5CA has not handled any government-issued IDs for this client. All our platforms and systems remain secure, and client data continues to be protected under strict data protection and security controls.

We are conducting an ongoing forensic investigation into the matter and collaborating closely with our client, as well as external advisors, including cybersecurity experts and ethical hackers. Based on interim findings, we can confirm that the incident occurred outside of our systems and that 5CA was not hacked. There is no evidence of any impact on other 5CA clients, systems, or data. Access controls, encryption, and monitoring systems are fully operational and, as a precautionary measure, are under heightened review.

Our preliminary information suggests the incident may have resulted from human error, the extent of which is still under investigation. We remain in close contact with all relevant parties and will share verified findings once confirmed.

We’ve asked 5CA to confirm if it handled government ID photos and if it could share more information about the “human error” that may have been involved. We’ve also asked Discord if it can confirm which company was in possession of the photos of government IDs that may have been accessed.