CONTENTS
- 1. Personal information hacking | Overview and structure of the Duo 430,000 information leak incident
- - leaked information
- - Characteristics of the data structure of the marriage information business
- 2. Personal information hacking | Structure of personal information leakage and scope of management responsibility
- - Internal control failures and limitations of technical safeguards
- 3. Personal information hacking | Major obligations and violation structure under the Personal Information Protection Act
- - Violation of safety measures obligations
- - Violation of breach notification and reporting obligations
- - Violation of restrictions on processing resident registration numbers
- 4. Personal information hacking | Standards for determining corporate responsibility
- - Factors considered
- - Corporate risk structure and expansion pattern
- 5. Personal information hacking | Corporate response strategy
- - Corporate Response Checklist
- - Strategy of Daeryun Law Firm
1. Personal information hacking | Overview and structure of the Duo 430,000 information leak incident
The personal information hacking incident was not a direct attack on the database from the outside, but rather was accessed through an internal terminal.
The work PC of an employee handling personal information was infected with malware, and database (DB) account information was stolen through this.
Afterwards, the attacker used the account to directly access the server and export all member data.
The important thing about this process is that the entire member data is downloaded, not just some data.
It has been confirmed that the information of approximately 427,000 people has been leaked, and the scope includes the following information.
The Personal Information Protection Commission investigated the duo in relation to the incident.A fine of approximately 1.197 billion won and a fine of 13.2 million won were imposed.I did it.
leaked information
division | detail |
Basic information | Name, date of birth, address, contact information |
Unique identification information | resident registration number |
Sensitive information | Religion, marital history |
etc | Education, employment, family relationships, physical information |
Additionally, approximately 300,000 pieces of information that should have been destroyed after the contract ended were kept in storage and were also leaked.
Characteristics of the data structure of the marriage information business
Due to the nature of the service, the marriage information business collects a variety of information to match members.
Unlike general online services, information that goes beyond identity verification and includes an individual's living environment and values is used.
• Information related to social status, such as education, employment, and assets
• Information on personal characteristics such as religion, orientation, etc.
Individually, this information may be fragmentary, but when combined, it has very high accuracy in identifying and analyzing individuals.
In other words, this incident is not a one-time personal information hacking.Structure where all profile data is leaked to the outsideno see.
There is a possibility that such data can be abused in various forms such as fraud, customized access, and identity theft, and from the company's perspective, the sensitivity of the information itself acts as a factor that expands the scope of responsibility.
2. Personal information hacking | Structure of personal information leakage and scope of management responsibility
The key issue in this personal information hacking incident is whether the internal management system to prevent the hacking was operating properly rather than the external hacking act itself.
In general, a company's responsibility in a personal information leak incident is judged not based on whether hacking occurred, but on whether technical and managerial measures were sufficient to block the possibility of hacking.
However, in this case, the following management problems were identified:
Internal control failures and limitations of technical safeguards
• Insufficient database access control system
• Insufficient level of encryption for resident registration number and password
These factors can be seen as a failure of the internal control system to function sufficiently throughout the personal information processing process, rather than a technical weakness.
In particular, access to the database was not blocked even after account information was stolen through an employee's PC.Access rights management and anomaly detection systems were not properly established.means.
As a result, this incident can be evaluated not as a one-time incident caused by an external attack, but as a structural problem in which the internal management system and technical protection measures did not work together.
3. Personal information hacking | Major obligations and violation structure under the Personal Information Protection Act
A company's liability is judged based on whether legal obligations have been properly fulfilled throughout the entire process of processing personal information, rather than on individual violations.
Violation of safety measures obligations
Article 29 of the Personal Information Protection Act stipulates that personal information processors take technical and managerial protection measures to prevent leakage of personal information.
This includes managing access rights, setting up authentication procedures, encryption measures, etc.
In this incident, it was confirmed that there was no limit on the number of login authentication failures and that database access control was also insufficient.
Additionally, the level of encryption applied to passwords and social security numbers was found to be insufficient.
Violation of breach notification and reporting obligations
Article 34 of the Personal Information Protection Act stipulates that if personal information is leaked, the company must notify the information subject and report it to the supervisory agency within 72 hours if it exceeds a certain standard.
However, in this case, it was confirmed that even after recognizing the leak, no report was made within the stipulated period and notification to the information subject was delayed.
Violation of restrictions on processing resident registration numbers
Article 24-2 of the Personal Information Protection Act prohibits the collection and processing of resident registration numbers in principle and allows exceptions only when there are explicit legal grounds.
In the case of marriage brokerage businesses, it was pointed out that it was a problem to collect and store resident registration numbers despite there being no clear legal basis for collecting such information.
This shows that regardless of whether the retention period is set, if actual destruction procedures are not implemented, the entire data can be converted into legal risk.
4. Personal information hacking | Standards for determining corporate responsibility
In a personal information hacking incident, the company's responsibility lies in the extent to which the personal information processor was actually implementing the required protective measures.
In particular, the following factors are comprehensively considered:
Factors considered
• Scope and scale of leaked information
• Level of access control and internal management system
• Whether reporting and notification procedures were implemented after the leak?
In cases like this case, where an individual's marital history, family relationships, employment, and economic status are included, the sensitivity of the information may be highly evaluated, and the scope of responsibility borne by the company may also expand accordingly.
In addition, even if there are internal personal information processing standards or security policies, it is difficult to say that management obligations have been fulfilled if the standards do not function properly in the actual operation process.
As a result, determining responsibility in a personal information hacking incident is more important than whether the information was leaked itself.Characteristics centered on whether the pre-established management system was actually operatingIt shows.
Corporate risk structure and expansion pattern
Initially, administrative sanctions such as fines and fines are imposed, but this usually leads to claims for damages, and when this is combined with damage to corporate image and customer defection, the actual scale of loss further expands.
step | Risk details |
Step 1 | Administrative sanctions such as fines and fines |
Step 2 | Damage claims and class disputes |
Step 3 | Reputation decline and customer churn |
Step 4 | Additional regulation and increased supervision |
In particular, if sensitive information and profile data are included, as in this incident, the risk is likely to expand rapidly after stage 2.
Additionally, if a delay in notification of a leak or a lack of an internal management system is confirmed, not only the level of fines but also the scope of civil liability may be affected.
As a result, personal information hacking incidents need to be understood as a structure in which administrative, civil, and business risks occur in a chain.
5. Personal information hacking | Corporate response strategy
This personal information hacking incident is a case where the company's responsibility lies with whether the internal management system is functioning rather than the external attack itself.
Accordingly, companies are required to conduct a structural inspection of the entire personal information processing process.
In particular, it is important to confirm that the management system at each stage, from personal information collection, storage, access, destruction, and response to leaks, is actually operating.
Corporate Response Checklist
division | Check items |
Personal information collection | Are we collecting only the minimum range of information necessary to provide services? |
Processing of unique identification information | Check whether and on what basis legally restricted information, such as resident registration number, is collected and stored |
access control | Whether an internal employee and system access rights management system is in operation? |
security system | Whether to build authentication procedures, encryption, and intrusion detection systems |
Retention and Destruction | Whether the actual destruction procedure for information whose retention period has elapsed is implemented |
Leak Response | Whether a reporting and information subject notification system is established within 72 hours |
internal management | Whether personal information processing standards and internal control procedures are actually in operation |
Strategy of Daeryun Law Firm
Personal information hacking incidents have the characteristic that the scope of a company's responsibility varies depending on whether a proactive management system is established rather than a response after the incident.
Additionally, in the event of a leak, administrative sanctions, damages, and reputational risks may occur simultaneously, so a comprehensive legal review is required.
Daeryun Law Firm provides practical legal advice on the overall corporate personal information processing structure based on its experience in personal information protection, data compliance, and corporate dispute response.
▶ Review the legality of unique identification information and sensitive information processing structure and derive improvement measures
▶ Legal risk analysis of internal access control and security management system
▶ Establish reporting/notification and response strategies to supervisory agencies in case of personal information leakage
▶ Establishment of a preliminary risk diagnosis and response system for compensation for damages and the possibility of disputes occurring
If it is necessary to inspect the personal information processing structure or establish a leak response strategy 🔗corporate lawyerPlease proceed with a preliminary review through .
