"Height, Weight Data Stolen"... 430,000 Users' Information Leaked, 1.2 Billion Won Fine Imposed on Duo Info

The Personal Information Protection Commission has imposed a total of 4,788,200,000 won in administrative fines and 17,400,000 won in penalty surcharges on three entities-KS Korea Employment Information, Duo Info, and Geumneung Park Cemetery-for violating personal information protection laws. The commission also issued corrective action and public disclosure orders.

Song Kyunghee, Chairperson of the Personal Information Protection Commission, is delivering the opening remarks at the 7th plenary session of the Personal Information Protection Commission for 2026 held at the Government Seoul Office Building on the afternoon of the 22nd. Provided by the Personal Information Protection Commission

원본보기 아이콘

The commission announced on the 23rd that it had resolved these measures at its 7th plenary session held at the Government Seoul Office Building the previous day. The entities in question were found to have neglected security measures for their personal information processing systems and processed resident registration numbers without a legal basis.

KS Korea Employment Information was fined 3,537,000,000 won and penalized an additional 4,200,000 won. In April last year, a hacker accessed the company’s personal information processing system with an administrator account, leaking the personal data of 40,875 individuals-including counselors, head office staff, and job applicants. The hacker also exploited website vulnerabilities to steal 50,000 personnel document files from the server. These documents included resident registration certificates, copies of identification cards and bankbooks, and family relation certificates, containing not only the individuals' information but also significant data about their families. The hacker posted the leaked information on the dark web and attempted to trade it.

The commission’s investigation revealed that KS Korea Employment Information did not restrict access rights to the personal information processing system by IP address or similar measures. Because secure access and authentication methods were not implemented, external access was possible using just an ID and password. Furthermore, resident registration numbers in personnel verification documents were stored without masking or encryption. The company also collected and processed resident registration numbers of job applicants who were not ultimately hired and failed to destroy personal information of 2,035 individuals-such as former employees and trainees-whose retention period had expired.

The commission stated, "In addition to the fines and surcharges, we have ordered periodic checks of system access logs and personal information downloads, as well as the establishment and operation of personal information destruction guidelines." The commission also required public disclosure of the sanctions on the company’s website.

At Duo Info, a marriage matchmaking service provider, the personal information of 427,464 registered members was leaked. The hacker infected a staff member’s work PC connected to the internet with malware in January last year, and, after confirming database (DB) server credentials, accessed the member DB server. The leaked information included not only IDs, names, and dates of birth but also height, weight, blood type, religion, hobbies, marital history, eldest son/daughter status, school name, major, and date of joining.

The commission pointed out that Duo Info failed to implement measures such as restricting access after a certain number of failed authentication attempts when accessing the member DB, and violated security obligations by applying insecure encryption algorithms to resident registration numbers and passwords. Duo Info was also found to have collected and stored resident registration numbers without a separate legal basis during member registration. Additionally, 298,566 records of registered members whose retention period (five years) stated in the privacy policy had expired were still being retained.

Accordingly, the commission imposed an administrative fine of 1,197,000,000 won and a penalty surcharge of 13,200,000 won on Duo Info and ordered immediate notification to each data subject of the leak, pursuant to Article 34(1) of the Personal Information Protection Act. The commission also directed the company to strengthen safety measures to prevent recurrence, limit the collection of data to what is strictly necessary for service provision, and reinforce its data protection and management system. The imposed sanctions must also be publicly disclosed on the company’s website.

Geumneung Park Cemetery was found to have neglected to inspect and address parameter manipulation vulnerabilities on its website. A hacker exploited this to leak the personal information of 5,373 users from the maintenance fee inquiry and payment page. The commission confirmed that the company failed to use encrypted communication when transmitting personal data over the internet and violated protection obligations by storing resident registration numbers in plain text. The cemetery also collected users' resident registration numbers for identity verification purposes without a separate legal basis.

The commission imposed an administrative fine of 54,200,000 won on Geumneung Park Cemetery and issued correction orders to inspect vulnerabilities and implement encryption in the personal information processing system to prevent recurrence of such incidents. As with the other cases, the commission mandated public disclosure of the sanctions on the company’s website.

The commission stated, "We urge businesses to systematically verify whether there is a legitimate basis for processing resident registration numbers and whether appropriate security measures such as encrypted storage are being implemented." The commission added, "For data processors that collect large amounts of sensitive information, we will evaluate and improve the level of protection of data subjects’ rights to ensure that only the minimum amount of personal data necessary for service provision is collected and used."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.