That is the bonkers thing about this story. Why take on the liability? Get what you need and toss the responsibility. If you must store it (which seems unlikely) put that extra-bad-if-leaked information behind a separate append only service for which read is heavily restricted.

I’m in a different industry, but when I’ve had to collect identification for reasons we extracted metadata at the time of presentation, validated it, and discarded the image.

We would never get clearance from counsel to store that in most scenarios, and I can’t think of a reason to justify it for a age or name verification.

Why are people assuming they did store it after the process was completed?

With the relatively low number leaked here it could have been information collected actively during an ongoing breach, not a dump of some permanent database.

Just a guess, but they may store the original ID card to audit duplicate accounts.

If their machine learning models, think that two people are the exact same, having the original image, especially a photo of the same ID card could confirm that.

in case of the EU it's more the opposite

GDPR requires data minimalism and ~use case binding so if you submit data for age verification there is no technical reason to keep it after knowing your age so you _have to_ delete it.

Requirement by who? Discord isn't required to demand your ID, let alone store it.