South Korea’s privacy watchdog said it imposed a combined 4.7882 billion won (about $47.9 billion won) in administrative fines and 17.4 million won in penalties on three businesses, including matchmaking firm Duo Information Co., for violating personal data protection rules.
The Personal Information Protection Commission said it made the decision at its seventh plenary meeting on the 23rd, also ordering corrective measures and public disclosure. Key violations included large-scale data leaks and the collection and storage of resident registration numbers without a legal basis.
The biggest breach involved Duo. Investigators said a hacker in January infected a Duo employee’s work PC with malware, obtained database server account credentials and accessed the member database, leaking personal information of 427,464 full members.
The leaked data included basic details such as names, dates of birth and contact information, as well as sensitive profile information that could reveal personal characteristics, including education, workplace, religion and marital history. Because matchmaking services handle broad, life-related details, authorities said the risk of secondary harm is high.
The commission said Duo lacked basic access controls, such as blocking access after repeated authentication failures, and used weak encryption methods for resident registration numbers and passwords. It also collected and stored resident registration numbers without legal grounds and failed to destroy about 290,000 records after retention periods expired.
Authorities also faulted Duo for delaying its report of the breach for more than 72 hours after recognizing the leak and for not notifying users.
The commission fined Duo 1.197 billion won and imposed 13.2 million won in penalties, ordering it to notify affected individuals and prepare measures to prevent a recurrence.
Two other companies were cited for inadequate safeguards: call center outsourcing firm KS Korea Employment Information and Geumreung Park Cemetery.
KS Korea Employment Information was fined in the 3.5 billion won range after an administrator account was stolen, leading to the leak of personal data on about 40,000 employees and applicants and 50,000 personnel documents. Geumreung Park Cemetery was fined 54.2 million won after a website vulnerability exposed personal data of about 5,000 people.
“Resident registration numbers must be handled only in limited cases where there is a legal basis,” the commission said, urging businesses to collect only the minimum necessary data and thoroughly implement security measures such as encryption.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.