Revealing Real Estate and Account Balances for Marriage... Duo Faces Fallout After Member Data Breach

A data breach has occurred at Duo Information (Duo), a matchmaking company, and it has been reported that the leaked information included members' account balances and real estate holdings.

Duo Information Headquarters located in Yeoksam-dong, Gangnam-gu, Seoul. Photo by Yonhap News

원본보기 아이콘

According to the incident report submitted on April 26 by the Ministry of Science and ICT to the Office of Assemblywoman Choi Minhee, Chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, Duo’s member information was leaked on January 28, 2025. The hacker remotely accessed a PC with database access privileges and stole the personal information of approximately 420,000 individuals. Duo became aware of the breach on February 3, 2025, and reported it to the government.

As a result of this incident, both basic information and sensitive data were leaked, including members’ names, dates of birth, gender, contact details, height, weight, blood type, religion, and marital history. In particular, the scope of the breach has caused controversy because it also included asset verification documents and withholding tax information submitted by members for authentication. Additionally, it was revealed that Duo had failed to destroy information for members who had left the service or whose data retention period of five years had expired, and instead continued to store it. Consequently, this breach is considered significantly more sensitive and far-reaching than a typical personal data leak.

According to Assemblywoman Choi’s office, Duo did not comply with the guidelines on “Usage of Encryption Algorithms and Key Lengths” issued by the Korea Internet & Security Agency (KISA). Furthermore, Duo reportedly did not use the “secure encryption algorithms” recommended in the “Guidelines for Ensuring the Security of Personal Information,” which was distributed by the Personal Information Protection Commission in 2024. This indicates that the incident resulted from Duo’s weak encryption system.

Assemblywoman Choi stated, “It is irresponsible for a company that mediates personal relationships to violate government guidelines,” emphasizing, “Companies that collect sensitive information must establish separate security measures.”

The Personal Information Protection Commission imposed an administrative fine of 1,197 million won and a penalty surcharge of 13.2 million won on Duo in connection with the data breach. Nevertheless, there have been ongoing criticisms that these measures are insufficient.

Under the Personal Information Protection Act, the Commission may impose a penalty surcharge of up to 3% of total annual revenue if a data breach or other violation occurs. In Duo’s case, since the hacking-related violation occurred in 2025, the average annual revenue for the previous three years (2022-2024), which was approximately 41.3 billion won, was used as the basis for the penalty calculation.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.