Comment by fireant

KYC data is the most dangerous data that can leak right now. If your CC leaks, you will know almost immediately and can revoke it and generally will get your money back. Password leaks can be neutered with 2FA. Medical data leak can perhaps be used in a complex extortion, but generally for most people this data is worthless.

KYC data on the other hand allows third party criminals who have bought your KYC on the black market to perform money laundering in your name (by opening bank accounts) and taking debt in your name. Generally you won't even know this is happening until it's too late and debt collectors come. And it's not like you can revoke your biometrics/liveness check/selfie and who knows if revoking your passport/id card would actually work.

IMO it's much better if a dedicated KYC processor, like Persona, with actual security team/mindset, handles this rather than random website inside their zendesk instance. But there still needs to be extremely strict regulation surrounding this data.

Also while CC data will be getting less dangerous over time due to AI fraud detection and mandated 3DS, KYC data will IMO be getting more dangerous over time because more fintech/govtech will rely on it.