A good starting assumption for this answer is that the only un-hackable database is no database at all.
Data protection legislation (GDPR) already requires data minimisation – only using and retaining the data required for the purpose at hand. It is possible to provide an age verification service without retaining anything other than a personal identifier e.g. a username (which could be “Mickey Mouse 123” or an anonymised reference number) and, of course, a date of birth or even just the fact that a user is 18+ or 13+ etc. This is perhaps the safest route, accumulating no personally identifiable data of any use to a hacker.
Any personal data used to determine the date of birth (or estimate an age range using artificial intelligence) must be deleted, or is not even stored because it is processed live “in memory” not saved to disk or the cloud etc. There is even technology now operating where both age verification and age estimation can be processed entirely on the user’s own device – so a user’s data never leaves the palm of their hand.
A certified Age Verification process does not create any new central databases of personally identifiable information*.
Some AV providers are also ID providers. To meet the standards of the AV industry, their solutions must allow the user the ability to disclose only those aspects of their identity they choose, such as their age attribute. Where this is the situation, the best practice approach to security is to make it impossible for any data to be retrieved without the user’s involvement – for example, by requiring a biometric key that can only be supplied by them from their own device. Without that key, data, whether held remotely or only locally on the device itself, remains encrypted and meaningless.
*There are some specific use-cases or jurisdictions where it is a legal requirement to retain evidence of an age check, in which case data must be encrypted to equivalent security standards adopted by banks. By default, our members do not retain personal data unless they are legally obliged to do so.