Kakao fined $11.1 million for 2023 data breach

Industry

Published: 23 May. 2024, 18:26 Updated: 23 May. 2024, 18:40

Kakao fined $11.1 million for 2023 data breach

Korean tech giant Kakao was fined 15.1 billion won ($11.1 million), the highest penalty ever imposed on a domestic firm, by the Personal Information Protection Commission for leaking more than 65,000 users’ personal data. Pictured is a Kakao Friends store in Seoul. [YONHAP]

Korean tech giant Kakao was fined 15.1 billion won ($11.1 million), the highest penalty ever imposed on a domestic firm, by the country’s privacy watchdog for leaking more than 65,000 users’ personal data last year.

The KakaoTalk operator opposed the decision, saying that it would take potential legal action to contest it.

The Personal Information Protection Commission (PIPC) said Thursday that it had approved the fine during its plenary session on Wednesday, concluding that Kakao's negligence in protecting user information was responsible for the data leak.

The fine is more than twice the highest recorded the PIPC has ever imposed, which was levied on screen golf chain Golfzon in May.

The PIPC launched an investigation into Kakao last March following media reports that user information from the open chat service on KakaoTalk, the country’s dominant messaging app, was being illegally traded on websites, including those that sold online marketing programs.

KakaoTalk offers a number of open chat rooms that any user can join. Participants are able to create a temporary user ID for each one they join, which is tied to a purportedly private serial number. Kakao, however, failed to encrypt some serial numbers used in open chat rooms before August 2020, allowing hackers to identify them through a vulnerability in the platform's contact adding function, according to the PIPC. This allowed the hackers to identify the users' real names, phone numbers and open chat room nicknames.

The utilized hacking methods had previously been revealed in online developer communities, according to the PIPC, but did not prompt Kakao to take action. Kakao also failed to report the incident immediately after becoming aware of it, the commission added.

Nam Suk, the Personal Information Protection Commission's (PIPC) director-general for investigation and coordination, speaks about a fine the privacy watchdog imposed on Kakao for a 2023 data leak at the Government Complex Seoul in central Seoul on Thursday. [YONHAP]

“The agency has confirmed that hackers accessed at least 65,710 users’ personal information,” said Nam Suk, the PIPC's director-general for investigation and coordination, adding that data from 696 users of KakaoTalk's open chat rooms had been sold and uploaded onto “other websites.”

Police are currently investigating the exact scope of the data leak, Suk said.

Kakao said in a news release Thursday that the “hackers’ illegal activities” should not be attributed to “negligence” in the company's security measures and contested that the leaked data constituted personal information.

“Users’ serial numbers and ad hoc IDs do not contain any personal information in itself and cannot be used to identify individuals. The serial numbers generated by the service are not legally required to be encrypted, so not encrypting them cannot be considered a violation of the law,” Kakao said.

“We are constantly monitoring external communities and social network services and inspecting security issues through a task force.”

The company added that it will be “looking into legal measures including administrative litigation” in response to the PIPC’s decision.

BY LEE HAY-JUNE, KIM JU-YEON [kim.juyeon2@joongang.co.kr]