CONTENTS
- 1. Personal Data Hacking | Overview of the Duo 430,000-Person Data Leak and the Structure of the Breach
- - Leaked Information
- - Characteristics of the Data Structure in the Matchmaking Industry
- 2. Personal Data Hacking | The Structure of the Data Leak and the Scope of Management Responsibility
- - Failure of Internal Controls and the Limits of Technical Protective Measures
- 3. Personal Data Hacking | Key Obligations Under the Personal Information Protection Act and the Structure of the Violations
- - Breach of the Duty to Take Safety Measures
- - Breach of the Duty to Notify and Report a Leak
- - Violation of the Restrictions on Processing Resident Registration Numbers
- 4. Personal Data Hacking | Criteria for Assessing Corporate Liability
- - Factors Considered
- - The Structure of Corporate Risk and Its Expanding Pattern
- 5. Personal Data Hacking | Corporate Response Strategy
- - Corporate Response Checklist
- - Daeryun Law Firm LLP's Strategy
1. Personal Data Hacking | Overview of the Duo 430,000-Person Data Leak and the Structure of the Breach
The personal data hacking incident did not take the form of a direct external attack on the database; rather, it occurred through access routed via an internal terminal.
The work PC of an employee who handled personal information was infected with malware, and through it the database (DB) account credentials were stolen.
The attacker then used that account to connect directly to the server and exfiltrate the entire member dataset.
An important point in this process is that the structure allowed not merely part of the data but the entire member dataset to be downloaded.
The information of approximately 427,000 persons was confirmed to have been leaked, and its scope includes the following information.
In connection with this incident, the Personal Information Protection Commission imposed on Duo a penalty surcharge of approximately KRW 1,197 million and an administrative fine of KRW 13.2 million.
Leaked Information
Category | Details |
Basic Information | Name, date of birth, address, contact information |
Unique Identifying Information | Resident registration number |
Sensitive Information | Religion, marital history |
Other | Education, employment, family relationships, physical information |
In addition, approximately 300,000 records that should have been destroyed after contract termination remained in storage, and these were leaked as well.
Characteristics of the Data Structure in the Matchmaking Industry
By the nature of its service, the matchmaking industry collects a wide range of information in order to match members with one another.
Unlike ordinary online services, it makes use of information that goes beyond identity verification to include an individual's living environment and personal values.
• Information relating to social status, such as education, employment, and assets
• Information on personal characteristics, such as religion and disposition
Such information may be fragmentary on its own, but when combined, it acquires a very high degree of accuracy in identifying and analyzing an individual.
In other words, this incident was not a one-off instance of personal data hacking but rather a structure in which the entire body of profile data was leaked externally.
Such data may be misused in various forms, including fraud, tailored approaches, and identity theft, and from a company's standpoint, the sensitivity of the information itself operates as a factor that expands the scope of liability.
2. Personal Data Hacking | The Structure of the Data Leak and the Scope of Management Responsibility
In this personal data hacking incident, the key issue is not the external hacking act itself but whether the internal management system in place to prevent such hacking was functioning properly.
Generally, in a personal data leak case, a company's liability is judged not by whether a hack occurred but by whether the technical and administrative measures taken to block the possibility of hacking were sufficient.
In this case, however, the following management deficiencies were identified.
Failure of Internal Controls and the Limits of Technical Protective Measures
• Inadequate database access-control system
• Insufficient level of encryption for resident registration numbers and passwords
These elements may be regarded less as technical vulnerabilities than as evidence that internal control systems were not functioning adequately throughout the personal-information processing.
In particular, the fact that database access could not be blocked even after the account credentials were stolen through an employee's PC means that an access-rights management and anomaly-detection system had not been properly established.
As a result, this matter can be assessed not as a one-time incident caused by an external attack but as a structural problem in which the internal management system and the technical protective measures jointly failed to function.
3. Personal Data Hacking | Key Obligations Under the Personal Information Protection Act and the Structure of the Violations
A company's liability is judged not by whether an individual violation occurred but by whether its legal obligations were properly fulfilled throughout the entire personal-information processing.
Breach of the Duty to Take Safety Measures
Article 29 of the Personal Information Protection Act requires a personal information controller to take technical and administrative protective measures to prevent the leakage of personal information.
These include access-rights management, the establishment of authentication procedures, and encryption measures.
In this case, no limit had been set on the number of failed login authentication attempts, and database access control was likewise inadequate, as confirmed.
In addition, the level of encryption applied to passwords and resident registration numbers was found to be insufficient.
Breach of the Duty to Notify and Report a Leak
Article 34 of the Personal Information Protection Act requires that, where personal information has been leaked, a company notify the data subjects and, where the leak meets or exceeds a certain threshold, report it to the supervisory authority within 72 hours.
In this case, however, even after the company became aware of the leak, the report was not made within the prescribed period, and notification to the data subjects was also confirmed to have been delayed.
Violation of the Restrictions on Processing Resident Registration Numbers
Article 24-2 of the Personal Information Protection Act prohibits, in principle, the collection and processing of resident registration numbers, and permits it exceptionally only where there is an explicit statutory basis.
In the case of the matchmaking brokerage business, it was pointed out as a problem that the company collected and stored such information despite the absence of a clear legal basis for collecting resident registration numbers.
This shows that, regardless of whether a retention period has been set, where the actual destruction procedure has not been carried out, the entire body of such data may turn into a legal risk.
4. Personal Data Hacking | Criteria for Assessing Corporate Liability
In a personal data hacking incident, a company's liability turns on the level to which the personal information controller had actually implemented the required protective measures.
In particular, the following factors are considered as a whole.
Factors Considered
• The scope and scale of the leaked information
• The level of access control and the internal management system
• Whether the reporting and notification procedures were carried out after the leak
Where, as in this case, the data includes an individual's marital history, family relationships, employment, and even financial condition, the sensitivity of the information may be assessed as high, and accordingly the scope of liability borne by the company may also expand.
In addition, even if internal personal-information processing standards or security policies exist, where those standards did not actually function in the course of operations, it is difficult to find that the management duty was fulfilled.
As a result, the assessment of liability in a personal data hacking incident exhibits the characteristic of focusing not on whether a leak occurred but on whether the management system established in advance was actually functioning.
The Structure of Corporate Risk and Its Expanding Pattern
At the outset, administrative sanctions such as a penalty surcharge and an administrative fine are imposed, but the matter commonly proceeds to claims for damages thereafter, and as reputational harm and customer attrition are added, the actual scale of the loss expands further.
Stage | Risk Content |
Stage 1 | Administrative sanctions such as a penalty surcharge and an administrative fine |
Stage 2 | Claims for damages and collective disputes |
Stage 3 | Reputational decline and customer attrition |
Stage 4 | Additional regulation and intensified oversight |
In particular, where, as in this case, sensitive information and profile data are involved, the risk may expand rapidly from Stage 2 onward.
In addition, where a delay in notifying the leak or an inadequacy in the internal management system is confirmed, it may affect not only the level of the penalty surcharge but also the scope of civil liability.
As a result, a personal data hacking incident should be understood as a structure in which administrative, civil, and business risks arise in a chain.
5. Personal Data Hacking | Corporate Response Strategy
This personal data hacking incident is a case in which whether the internal management system functioned, rather than the external attack itself, became connected to corporate liability.
Accordingly, companies are required to conduct a structural review of the entire personal-information processing.
In particular, it is important to confirm whether the management system actually functions at each stage, including the collection, storage, access, destruction, and breach-response handling of personal information.
Corporate Response Checklist
Category | Review Item |
Collection of Personal Information | Whether only information within the minimum scope necessary for providing the service is being collected |
Processing of Unique Identifying Information | Confirmation of whether legally restricted information such as resident registration numbers is collected or stored, and of the basis therefor |
Access Control | Whether an access-rights management system for internal staff and systems is in operation |
Security System | Whether authentication procedures, encryption, and an intrusion-detection system have been established |
Retention and Destruction | Whether the actual destruction procedure for information past its retention period has been carried out |
Breach Response | Whether a system for reporting within 72 hours and for notifying data subjects has been established |
Internal Management | Whether the personal-information processing standards and internal control procedures are actually in operation |
Daeryun Law Firm LLP's Strategy
A personal data hacking incident has the characteristic that the scope of a company's liability differs according to whether a management system was established in advance, rather than according to the response after the incident occurs.
In addition, when a leak occurs, administrative sanctions, claims for damages, and reputational risk may arise simultaneously, so a comprehensive legal review is required.
Drawing on its experience in personal data protection, data compliance, and corporate dispute response, Daeryun Law Firm LLP provides practical legal advisory on a company's overall personal-information processing structure.
▶ Reviewing the legality of the processing structure for unique identifying information and sensitive information, and deriving improvement measures
▶ Analyzing the legal risks of the internal access-control and security-management systems
▶ Establishing a strategy for reporting, notification, and response to the supervisory authority in the event of a personal data leak
▶ Diagnosing risks in advance regarding the possibility of damages and disputes, and building a response system
If you need a review of your personal-information processing structure or the establishment of a breach-response strategy, you are welcome to proceed with a preliminary review through a 🔗corporate attorney.
