Richa Kaul, Founder and CEO of Complyance on DIY Cyber Guy

Episode #90: The Discord Breach – Could it Happen to You?

About Richa Kaul, Founder and CEO of Complyance

Richa Kaul is the Founder and CEO of Complyance, a cybersecurity and compliance automation platform helping companies proactively manage third-party risk and prevent data breaches before they happen. A mission-driven entrepreneur, Richa launched Complyance to make enterprise-grade security accessible to lean teams by automating manual, error-prone processes. Her insights bridge the gap between human behavior, internal controls, and modern cyber threats — empowering organizations to take a preventative approach to data protection.

Richa’s Links

Richa’s Company: https://www.complyance.com/

Free Vendor Analysis: score.complyance.com

Richa’s LinkedIn Profile: https://www.linkedin.com/in/richa-kaul/

Summary:

Summary:

The discussion focused on a significant data breach reported by Discord, which occurred in October 2025 through a third-party vendor, exposing sensitive user information. Richa Kaul outlined Discord’s response, which included revoking access to the vendor, launching an internal investigation, and collaborating with law enforcement. She emphasized the critical risks associated with third-party vendors in data security and highlighted the need for companies to scrutinize these subprocessors as rigorously as their internal systems. Kaul proposed leveraging AI for vendor assessments to enhance compliance monitoring and identify security gaps, while also recommending compliance standards like FedRAMP as benchmarks for evaluating vendor security practices.

Richa provided actionable strategies for CEOs of small and medium-sized businesses to effectively manage vendor relationships and associated risks. She advised compiling a comprehensive vendor list, conducting basic security checks for new engagements, and utilizing endpoint management systems to control software access. By mapping the customer data journey, businesses can better assess risks and protect their brand reputation.

Kaul also discussed the financial advantages of effective risk management, noting potential savings exceeding $5 million for mid-market companies through reduced crisis management costs and improved vendor oversight. She shared resources for compliance, including a free third-party risk score tool, and clarified that Compliance specializes in controls management and vendor management, while offering to connect SMB clients with relevant services.

SHOW NOTES:

Episode #90: The Discord Breach – Could it Happen to You?

Hair On Fire :  2/ 5

Target group: People who want to keep their company data safe (whether or not you are paid to do that)

In a data breach reported in October, 2025, Discord informed users that their personal information had been compromised. The breach did not occur directly on Discord’s main systems but through an unauthorized party compromising a third-party customer service provider.

The unauthorized access specifically targeted users who had been in contact with Discord’s customer service or trust and safety teams. The data compromised included:

  • Usernames, email addresses, and IP addresses.
  • Billing information, including the last four digits of credit card numbers.
  • Messages exchanged with customer support.
  • Crucially, the attacker gained access to a small number of government ID images (such as driver’s licenses and passports) submitted by users who had appealed an age determination.

Discord stated was intended to extort a financial ransom from the company. Discord responded by revoking the third-party provider’s access and launching an internal investigation in collaboration with law enforcement. This breach highlighted the growing risk associated with age assurance schemes, where platforms are required to collect sensitive identity documents.

Most of you are probably thinking that basic security policies should have prevented of Reach like this. For example, a standard governance policy mandates rigorous Third-Party Risk Management (TPRM), including audits of vendor data retention and access controls. Risk Management should have identified storing high-value government IDs on a third-party system as unacceptable. An avoidance strategy involves using isolated internal systems to handle and automatically delete sensitive ID data. Compliance requires continuous monitoring, which could have detected unusual data exfiltration or suspicious activity from the vendor’s ticketing system immediately.

Here with me to talk about this today is Richa Kaul.

Richa is the Founder and CEO of Complyance, a UK-based cybersecurity and compliance automation platform. Prior to founding Complyance, she was Chief Strategy Officer at ContractPod, and also worked for the State of VA and McKinsey & Company.

Q: Let’s start here: what do you think went wrong in this case?

TRANSCRIPT

0:00 – David W. Schropfer
Welcome back, everybody, to DIY Cyber Guy.
This is episode 90, the Discord Breach. Could it happen to you? Now, this is a hair on fire two out of five. And it’s for people that work in anywhere close to their customer data. So whether you’re being paid to keep your company’s data secure or not, you just want to see it kept secure, this applies to you. Because it touches something that we think a lot about, which is an attack surface outside of your company that could still affect the proprietary data of your company. So there was a data breach reported in October 2025 by Discord. And what they said was Discord informed their users that their personal information had been compromised. How many times have we talked about that on this podcast? And so what’s interesting about this breach is that it did not occur directly on Discord. Discord’s main platform, but through an unauthorized party, a hacker, coming into a third party system that Discord had hired. So a platform as a service or software as a service. Now, to be clear, we don’t know who that third party was. We don’t know what the nature of that actual attack was. We certainly don’t know who the attacker was. None of that was disclosed. But the fact is that this breach happened outside of Discord’s network within one of the vendors that they hired. So what did the bad guys get. So they got things like usernames, email addresses, IP addresses. Addresses is something that’s obviously has a different level of value to threat actors. They also got billing information, including the last four digits of credit card numbers. Okay, now we’re getting closer to things that can be used for identity theft. They got messages that were exchanged between the customer and towards customer support, which is probably something that they could use for spear phishing if they really wanted to send a very specific email to a single person to try to get to extract information or get that person to click something or do something that they otherwise shouldn’t do. That’s a great spear phishing material. But the most important thing that they got is what’s described as a small number of government IDs. What do I mean by that? Driver’s licenses, passports, state IDs, that type of thing. Again, we don’t have a lot of detail of what was stolen, but man, that’s the holy grail to a threat actor. If they have that, there’s no limit to the identity fraud that that threat actor can try to impose on both the victim, the direct victim, the user, and also the company. And the company was the target of this attack, not the individuals, apparently, because Discord stated that this was an attempt to extort financial ransom directly from Discord. Now, what Discord did was laudable. They responded by revoking the third-party provider’s access. Okay, that’s probably a really smart first thing to do. They launched an internal investigation, of course. They’re collaborating with law enforcement, and they’re focused on remediation by reaching out to each one of the customers and telling them what happened and what they can do about it, again, which is information that was not made publicly available. Now, most of you are probably thinking that basic security policies should have prevented something like this. For example, in a standard governance policy, there’s always a third party risk management policy or TPRM that governs how you handle companies outside of your network that are given access in any way to your network, because they matter too. If they’re attacked and they’re breached, that too could breach your data, your customer information, and of course, the reputation of your company. So what happened and how did it happen? So here with me to talk about all this today is Richa Kaul. Richa is the founder and CEO of Compliance, which is a UK-based cybersecurity and compliance automation platform. And prior to founding Compliance, she was Chief Strategy Officer. Prior to founding Compliance, She was Chief Strategy Officer at ContractPod, and she also worked for the state of Virginia and McKinsey & Company. Welcome, Richa. Thanks so much for having me, David. Happy to be here. Thanks for being on the show. Can’t wait to dive into this topic with you. So let’s start here. What do you think went wrong in this case? Yeah.

5:22 – Richa Kaul
So this is a tough one, David, to be honest, because when it comes to companies’ management of their third party, we see enterprises take a very varied approach. It is a difficult portion of the attack surface to be in control of, and we understand that there’s going to be, you know, breaches and issues that do happen. Again, we don’t like to breach shame any enterprises. That being said, I think that it’s really, really important to be in control of your third party risk as much as possible. So what we really expect out of a company like Discord is to be very cognizant of the level of sensitive information that they hold for customers. Track which vendors actually have access to that third party information. So in this case, it was their customer service portal of some sort. And essentially continuously review those third parties to make sure that they can trust that their customer’s data is going to be secure with those subprocessors. So that’s where I’m going to start and I want to talk a little bit more about that. The very first thing I want to say is that what I see as a best practice is to really scrutinize your third parties based on the level of access that they have to your customer’s data. Of course, it’s common for a SaaS company to think as the first tier of their vendors as their subprocessors. So who is actually subprocessing your customer data on your behalf? And of course, list of subprocessors should be found widely available on the company’s website. And all of those vendors should be reviewed carefully every year or maybe even more frequently. For example, doing consistent vendor scans and actually scrutinizing them as much as you would scrutinize your own team and your own product because they are basically having a similar level of access to your customer’s data as you are. Does that make sense, David? It does. And I think that’s an interesting perspective. If you actually treat them as part of your system subprocessor in your own system, what rigor would you put your own subprocessors through in your own data center, right?

7:29 – Unidentified Speaker
It’s probably a very high level. You don’t want it to break. You don’t want it to fall behind in terms of updates and upgrades and patches, of course. And you don’t want it, of course, to have any sign that it’s being compromised or data is being exfiltrated. So it’s an interesting way to think about it. Just pull them into the same rigor that you’d put onto your own system and your own subprocessors. Is that effectively what you’re saying? Exactly.

7:56 – Richa Kaul
And as difficult as that may sound, we do see that more and more of the most stringent compliance standards out there are expecting that of the companies that are complying. So for example, with FedRAMP, at the highest level of FedRAMP compliance or CMMC compliance, you’re actually required to bring a level of stringent compliance review to your vendors almost to the degree that you bring to yourself. And so we’re seeing that come into more, you know, kind of standardized models of GRC and oversight. Okay, let’s talk a little bit about FedRAMP because that’s obviously for the U.S. Federal government to use to do diligence in a structured way on the vendors that do business with the government.

8:37 – Unidentified Speaker
But that said, any company can still ask for FedRAMP compliance out of any one of their vendors. So, you know, you got to understand about half of the heads exploded of the listeners that are listening to this podcast right now, because it seems like such a big problem. Oh my God, how do I pull in? First of all, how do you categorize all those vendors? Who are they? What is the data set that each one of them has access to? And how do I really pull them in to evaluate them like a sub-processor of my own system? I like to give my listeners ideas like, hey, just start asking your vendors, at least your new ones, to comply or to represent that they comply with FedRAMP standards and have them individually go through the FedRAMP process. I think that’s a great idea. Is there anything like that, which is relatively easy or one of the easy things that companies can do to help get their vendors to show them that they are in compliance? Yeah, so I think you’re right.

9:36 – Richa Kaul
The first piece of that on figuring out who do we need to ask, like, let’s be very realistic, you know, PRC teams have to be cost conscious because it’s almost impossible to control all the potential risk to an organization. And if you start to think about your third parties, it starts to get out of hand. So one, how do you prioritize? And for that, I would just say, use the trick of focusing on your subprocessors. It’s really about who has access to your customers’ data when you’re thinking about this. And that list is usually, it’s not necessarily short, but it’s at least something you typically have off the shelf because it’s required for your privacy policy, it’s required for your, you know, your compliance standards. So start there. For those ones, a lot of my clients would say, you know, it doesn’t make sense for us to ask them to be FedRAMP compliant. How do we even know? So what I would say for those folks is that ask them instead for some of the kind of evidence items that you might yourself show during an audit, and then use AI to actually review those evidence items and make sure that they’re Meeting your minimum standards. And that’s something obviously that we offer and other tools do as well, to be able to use AI to vendor risk score, right? So you can do that continuously, and then make specific asks to them and use AI to review the evidence that they provide to you. So almost run many audits in a scalable, automated way, only flagging to you the gaps from those vendors that you can identify further, and treat those gaps as real potential risks, add them to your risk register, follow up with them, think about, you know, remedial and treatment plans as you would for an enterprise risk. At the end of the day, that is part of your attack surface. Exactly. And I want to give you a chance to talk a little bit more about compliance in that context.

11:16 – Unidentified Speaker
And for my listeners, compliance is not a sponsor of this podcast. We never charge a fee to our interviewees ever on this podcast. But in this case, I’m genuinely interested in the problem, which is third-party vendors getting hacked therefore exposing their clients to bad press, bad PR, and of course, data loss, but also the use of AI to get that macro problem, among others, under control. So that said, Richa, could you talk a little bit more about compliance and how it’s using AI for this particular problem? Not the full set of what you can cover for your clients, but for third-party risk assessments, managing those third-party vendors, how are you using AI to accomplish that?

12:01 – Richa Kaul
Yeah, great, great question, David, and happy to jump in. And again, this isn’t about our platform. It’s more just about how do you solve this problem? And that’s really what I’m here to talk about. So our platform compliance spelled with a Y, a little play on words, compliance with the Y. How do you use compliance to solve the real Ys behind the program, like risk reduction and risk visibility? If you think about it this way, you have your list of vendors. Again, it doesn’t need to be in the platform, that as an example. You have your list of vendors, and those vendors can be categorized based on their criticality, based on, you know, the level of review you want to do. So let’s say you have your subprocessors category, and that’s your highest level of review. Then what you may want to do is set a frequency cadence on that vendor. Again, you can do this even in an Excel sheet if you want to, and say something like, you know, we want to review our subprocessors, let’s say quarterly, with a short assessment, and then we want to review them in more thoroughly. Maybe quarterly, you have an automated assessment that goes out, again, in the platform or outside of it, which asks some basic things. You know, have you had a pen test in the last three months? Have you gone through an audit in the last three months? Have you had any incidents in the last three months? Any breaches in the last three months? Even if they didn’t affect us, can you please share if you have? What did you do about them? Any vulnerabilities identified? What did you do about them? And what you’re looking for is actually, one, are they able to answer these questions, which gives you a signal immediately of, yes, they have their security posture under control. You’re also looking for threats that may not have affected you, but you can sort of start to see and build a picture up of this vendor and how reliable they are, how similar they are to you and the standards that you hold yourself to. Again, no vendor is perfect. You’re going to see vulnerabilities every quarter. You’re going to see that. But it’s a question then becomes, What was the remediation timing like, Have you closed them out already? And so on and so on. And so what you’re trying to do is build up, again, a picture of trust with a vendor. And by checking in on them every quarter in a completely automated way with AI reviewing the responses, you start to have a consistency in the signals you get from them so that you can be a better judge of their trustworthiness. And of course, then you can start to make decisions on if it makes sense to keep that vendor. I realize this is easier said than done, but it is very possible to use automation and AI to scale it and to make this a real input into your risk landscape. OK, so some of the people that are listening to this right now are CEOs of small and medium-sized businesses.

14:46 – Unidentified Speaker
They don’t have a governance, risk, and compliance department, much less they might not know what that term is. Is or really means. They’ve got a few different divisions. And yeah, sometimes people download apps and open accounts and different CRMs are used by different sales teams within your organization. What’s the first step that senior executive or that CEO or that founder should do to walk into the direction, short of building a SOC, a security operations center and hiring a security operations team. If they don’t have that, if that’s really something off the side of the plate of an IT department, or managed service provider, what’s the first step that that CEO should take in terms of questioning or in terms of walking down this path of getting those external vendors, like I just described, there might be no central avenue to bring those vendors into the system. They might be the decisions of lots of different division heads across the company. How do you start to bring that under one umbrella? What’s the first step? First step is to get in control. And that breaks down into two sub-steps, which I’ll go into.

15:52 – Richa Kaul
But the thing I hear oftentimes, too often, from sometimes it’s CCOs, sometimes it’s COOs, sometimes CEOs of smaller companies, is that they don’t even have a list of all of their vendors. Because just as you said, the folks on their team, department heads, they’re going and procuring software and it costs, you know, 5K, 3K. It’s actually even more dangerous the cheaper that it is because they usually don’t have as many security controls in place, they may not be able to afford it. And make a list of all of your vendors. What I would then say is that instill a process, this is kind of a part two of this, getting in control, instill a process for new vendors. You are not allowed to sign up for a new vendor unless it just goes through the most basic of security checks. And I can talk about what that security check looks like, but those are the first two just mini steps to get in control. And once you have that process in place, you at least get visibility over who the vendors are and are running, again, prelim checks, baseline checks around whether or not they meet the standards of your organization, and you can trust them with your data. Talk about how a CEO could actually control that. You’re saying getting them under control.

17:06 – Unidentified Speaker
Information is certainly a part of that, but what’s the stick in that scenario? Can we give our, the CEO is listening to this, or let’s give the CEO some comfort, that there should be systemic ways. If they have control over the devices that are being used to access company data, information in the company’s database, in the company’s systems, or apps within the company’s systems, there should be a central way to block that access in a worst case scenario. They can block everybody and then just start to turn them on one at a time or something like that. What would you suggest to that CEO who says, wait a minute, what if I don’t get the information? What if my division heads don’t know every single app purchased by every single employee in their division? What do I want to do to stop the bleeding?

17:54 – Richa Kaul
Yeah, of course, you and I both know, David, there’s a lot of endpoint management systems that allow you to control which are the softwares that are available and block certain sites or rather enable, block all, enable some type of control. Yeah. And so you can, you can absolutely instill all of those. I think what it comes down to for me is that that feels like yet another burden. And this is where it gets really tricky. You know, how do you make this as frictionless as possible? And I do think that then going back to the prioritization question and saying, okay, you know, if it feels too, um, unmanageable to get a full list of every app that everyone has signed up for, then focus on where customer data is going and you should be able to map out at least your customer’s data based on the point of entry. You know, where is it being stored? You can almost track a customer’s journey using your service or product and understand where is that customer data going?

18:51 – Unidentified Speaker
And at bare minimum, assess just those points.

18:55 – Richa Kaul
Because at the end of the day, that is where you’re going to get the most blowback, the most financial repercussions, most reputational damage, is if you start to have your customer’s data get breached because of the third parties that you have trusted with it. OK. So you mentioned the risk associated with this type of breach.

19:16 – Unidentified Speaker
Yes. A definite body blow to the brand image, the trust of your brand name, could be a lot of legal expenses. In a worst case, it’s a ransom, literally a ransom payment, as if your data itself is a type of hostage. Let’s talk about the reward a little bit. Because sometimes just, we’re going to have a certain number of leaders out there listening to this who say, I’m too small. That’s not going to happen to me. I don’t have enough of this problem. But let’s talk about some of the reward of getting your hands around some of these things and getting ahead of it. Absolutely.

19:55 – Richa Kaul
Yeah. And I can give some other tools that are low cost as well, just as an option for those folks who don’t see the ROI as much. When it comes to the reward, first and foremost, you’re talking about prevention of millions of dollars in charges. And then you’re talking about the stabilization of your revenue base. That alone is literally in the millions of dollars for most of the companies that we’re speaking to about this problem. When we try to quantify the risk reduction that is felt from our solution, it is so high that we actually end up excluding it from the ROI calculation. Because it feels almost overblown, right? You’re talking like a mid-market company is seeing like, you know, 5 million plus in risk reduction coming from everything from the type of crisis management that they would need to deploy in order to respond to a breach all the way through to the potential customer churn from, again, a client saying, you know what, actually, I don’t want to trust you with my data anymore because, you know, you don’t seem, doesn’t seem to be in the best of hands. And so between all of those, we’re talking millions of dollars. But let’s talk also about a few other things. One is time savings. Think that people kind of take for granted that, you know, this manual process that you’re doing, to whatever extent that you’re doing it, even just trying to get a handle around your vendors every, you know, quarter, year, whatever, for your financial counselor, let’s just say. That kind of stuff, the time savings from getting a handle of your vendors earlier on, actually has a positive ripple effect across other functions and other parts of the business, not only just the risk side of the team. And we have actually seen that. Clients are able to get a grasp on their vendors, now actually multiple other functions are happy. You also see the time savings from any type of work that you’re doing, whatever it may be, to think about your internal audits. Because of course, you’re actually having things more in control. Then you have the cost savings that are more proactive. And then finally, you have the more qualitative piece, which is just peace of mind. I’m a business owner myself. Peace of mind, sleeping at night. Sleeping at night. I can go to bed easier that we get proactively pen tested and try to understand any of our vulnerabilities on a proactive basis twice a year. We actually use different pen testers just to see if someone’s going to find something new. And yes, I’m giving, coughing up money to do that, but Those are the kinds of things that let me sleep at night and make sure that we can promise our clients that their data is in secure hands. So spend some time, spend some money now and reap the benefits of that time savings and cost savings forever.

22:39 – Unidentified Speaker
Indeed. By just sticking to the policies. Indeed. Richa, it’s been great having you on the show. Thank you for diving into some of these topics. I think you’ve given some more restful nights to my listeners. To the listeners of this podcast. Where can people find out more about what you do? Absolutely.

22:58 – Richa Kaul
Well, please, I would say for anyone listening who’s interested in any of these topics, please feel free to follow me or Compliance on LinkedIn. So that’s C-O-M-P-L-Y-A-N-C-E or complyance.com. We also have a free third-party risk score available. Anybody can use it. You can put in any of your vendor names and get a live risk score of that vendor. And that’s just score.complyance.com as well. So you can find us there, and hopefully look forward to connecting with some of you. Wonderful. And if any of you missed any of those URLs, you can also go to DIY Cyber Guy, of course. Search episode 90. That’s 9-0. And you will find everything that Richa just said. Thanks again. It’s been wonderful chatting with you.

23:35 – Richa Kaul
Thanks so much, David.

Published by

Unknown's avatar

David W. Schropfer

David W. Schropfer is a technology executive, author, and speaker with deep expertise in cybersecurity, artificial intelligence, and quantum computing. He currently serves as Executive Vice President of Operations at DomainSkate, where he leads growth for an AI-driven cybersecurity threat intelligence platform. As host of the DIY Cyber Guy podcast, David has conducted hundreds of interviews with global experts, making complex topics like ransomware, AI, and quantum risk accessible to business leaders and consumers. He has also moderated panels and delivered keynotes at major industry events, known for translating emerging technologies into actionable insights. David’s entrepreneurial track record includes founding AnchorID (SAFE), a patented zero-trust mobile security platform. He previously launched one of the first SaaS cloud products at SoftZoo.com, grew global telecom revenue at IDT, and advised Fortune 500 companies on mobile commerce and payments with The Luciano Group. He is the author of several books, including Digital Habits and The SmartPhone Wallet, which became an Amazon #1 bestseller in its category. David holds a Master of Business Administration from the University of Miami and a Bachelor of Arts from Boston College.