KS Korea Employment Information Leaked Personal Data of 40,000 People

Hit With 3.54 Billion Won Fine

Duo Information Breach Exposed Height, Weight, and Employment Dates

Ordered to Notify Victims Immediately

Geumneung Park Cemetery Leaked Data of 5,373 Users

Ordered to Publicly Disclose Administrative Action

The Personal Information Protection Commission has imposed a total of 4,788,200,000 won in administrative fines and 17,400,000 won in penalty surcharges on three businesses—KS Korea Employment Information, Duo Information, and Geumneung Park Cemetery—for violations of personal information protection regulations. The Commission also issued corrective and public disclosure orders.


Song Kyunghee, Chairperson of the Personal Information Protection Commission, is delivering the opening remarks at the 7th plenary session of the Personal Information Protection Commission for 2026 held at the Government Seoul Office Building on the afternoon of the 22nd. Provided by the Personal Information Protection Commission

Song Kyunghee, Chairperson of the Personal Information Protection Commission, is delivering the opening remarks at the 7th plenary session of the Personal Information Protection Commission for 2026 held at the Government Seoul Office Building on the afternoon of the 22nd. Provided by the Personal Information Protection Commission

View original image


The Commission announced on the 23rd that it had decided on these measures during its 7th plenary meeting held at the Government Complex Seoul the previous day. These businesses were found to have neglected security measures for their personal information processing systems and to have processed resident registration numbers without legal grounds.


KS Korea Employment Information was fined 3,537,000,000 won and received a penalty surcharge of 4,200,000 won. In April last year, a hacker accessed the personal information processing system's administrator account and leaked the personal data of 40,875 people, including counselors, headquarters employees, and job applicants. Additionally, the hacker exploited a website vulnerability to steal 50,000 personnel document files from the server. These documents included resident registration copies, ID cards, bankbook copies, and family relation certificates, containing not only the applicants’ information but also that of their families. The hacker posted the stolen information on the dark web and attempted to trade it.


According to the Commission’s investigation, KS Korea Employment Information did not restrict access to its personal information processing system by IP address or similar means. The company did not implement secure access or authentication methods, so external logins were possible with only an ID and password. Resident registration numbers in personnel supporting documents were stored without masking or encryption. Furthermore, the company collected and processed resident registration numbers from job applicants who were not ultimately hired, and failed to destroy the personal information of 2,035 people—including former employees and trainees—beyond the retention period.


The Commission stated, "In addition to the fines and surcharges, we have ordered the company to regularly check access logs and the circumstances of personal information downloads in its processing system, and to establish and operate guidelines for personal information destruction." They also required the company to publicly announce the administrative disposition on its operating website.


At Duo Information, a marriage agency service provider, the personal information of 427,464 full members was leaked. It was found that, in January last year, a hacker infected an employee’s work PC connected to the internet with malware and, after obtaining database server account information, accessed the member database server. The leaked personal information included not only user IDs, names, and dates of birth, but also height, weight, blood type, religion, hobbies, marital history, eldest son or daughter status, school name and major, and date of joining the company.


The Commission pointed out that Duo Information failed to take measures such as restricting access after a certain number of unsuccessful authentication attempts when accessing the member database. The company also used insecure encryption algorithms for resident registration numbers and passwords, violating its duty to ensure security. It was also found to have collected and stored resident registration numbers at the time of full membership registration without separate legal grounds. Furthermore, information on 298,566 full members was retained beyond the five-year retention period stated in the privacy policy.


Accordingly, the Commission imposed an administrative fine of 1,197,000,000 won and a penalty surcharge of 13,200,000 won on Duo Information, and ordered the company to immediately notify each data subject of the leak in accordance with Article 34, Paragraph 1 of the Personal Information Protection Act. The Commission also instructed the company to strengthen security measures to prevent recurrence of similar breaches, to collect only the minimum necessary information required for service provision, and to reinforce its personal information protection and management systems. The company was also required to publicly announce the administrative disposition on its operating website.


Geumneung Park Cemetery was found to have neglected inspection and remediation of a parameter manipulation vulnerability on its website. A hacker exploited this to leak the personal information of 5,373 users from the maintenance fee inquiry and payment page. The Commission confirmed that the company failed to apply encrypted communication when transmitting personal information over the internet and violated its protection obligations, such as storing resident registration numbers in plain text. User resident registration numbers were collected for identity verification purposes without separate legal grounds.


The Commission imposed an administrative fine of 54,200,000 won on Geumneung Park Cemetery and issued a corrective order to inspect and remediate vulnerabilities in its personal information processing system, including implementing encryption, to prevent a recurrence of such breaches. The company was also required to publicly announce the administrative disposition on its website.


Hot Picks Today

Chilling Timing "Did They Know Again?"... $640 Million Suspicious Bet Just 15 Minutes Before Announcement Chilling Timing "Did They Know Again?"... $640 ...

The Commission stated, "We urge businesses to systematically review whether they have legitimate grounds for processing resident registration numbers and whether they are adequately implementing security measures such as encrypted storage." The Commission added, "For data controllers that collect large amounts of sensitive information, we will assess and improve the level of data subject rights protection to ensure that only the minimum personal information necessary for service provision is collected and used."


한글 기사 보기
This content was produced with the assistance of AI translation services.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.

Today’s Briefing