Reckless failure to safeguard personal data

A major data breach at Duo, the country’s largest matchmaking service, exposed the personal information of about 430,000 members, authorities said. The compromised data included resident registration numbers and phone numbers, along with highly sensitive details such as height, weight, blood type, education, employer, employment start date and marital history. The breach occurred in January last year but became public only after the Personal Information Protection Commission said it would impose about 1.2 billion won in fines and penalties for violations of data protection laws.

Data breaches at major companies such as Coupang, SK Telecom, Lotte Card and KT Corporation have surfaced repeatedly in recent years. This case has drawn particular concern because matchmaking services collect deeply personal information tied to private lives and individual preferences.

At least 24 categories of data were confirmed to have been exposed, including marital status, religion, hobbies and family background. Additional information collected with user consent, such as housing type, vehicle ownership, real estate holdings, whether a person wears glasses, personality traits and health status, was also compromised. Much of this information would typically be known only to close friends or family.

Investigators said the company’s security controls fell short given the sensitivity of the data. The breach began when an employee handling member information downloaded files from a website on a work computer that was infected with malware. Hackers then gained remote access and extracted data from the database. Authorities said basic safeguards, such as restricting access after repeated authentication failures, could have prevented the database from being fully exposed.

Duo reported the breach to authorities five days after it occurred and posted a notice only on its website, without directly notifying affected members. Many users likely learned of the incident through media reports.

The penalty amounts to roughly 3,000 won per affected individual. Under current rules, fines are capped at 3 percent of a company’s average revenue over three years, which for Duo is about 41.3 billion won. Starting in September, a punitive penalty system will raise the cap to 10 percent of revenue.

Experts warn the stolen data could be used in secondary crimes. As hacking methods grow more sophisticated, concerns persist that corporate security practices are not keeping pace and that regulatory safeguards remain insufficient.