Night view of Seoul showing privacy fine for data leak

South Korea’s Most Popular Messaging App Receives Privacy Fine Equivalent to $11.1 Million for Data Leak

A data leak at South Korea’s most commonly used messaging app will cost parent company Kakao KRW 15.1 billion, or about $11.1 million. The Personal Information Protection Commission (PIPC) issued the privacy fine after concluding an investigation into KakaoTalk’s security practices, something that was initiated when user data was discovered being offered for sale on an underground forum.

Kakao privacy fine sets new national record

The privacy fine has set a new record in South Korea and went slightly over double the previous largest penalty, a KRW 7.5 billion fine to golf simulator company Golfzon that was just issued in early May.

The investigation into Kakao’s data leaks dates back to March 2023, when KakaoTalk user data was spotted up for offer on a private Telegram channel devoted to cyber crime. The PIPC investigation found that hackers were exploiting a lack of encryption of user ID numbers on the platform, allowing illicit access to the unique serial number assigned to each user. The hackers are thought to have accessed the information of about 65,700 users in this way, though it appears to be limited to these identification numbers.

The PIPC’s further probing into Kakao’s security posture found that its processes for monitoring and protecting user data were not up to far, prompting the eventual privacy fine. These security failures were found to directly contribute to the data leak, and Kakao was also found to be too slow in responding to notifications about the potential issue. Kakao maintains that it reported the incident to the PIPC and local police as soon as it was discovered. The company also claims that it contacted the PIPC and provided a detailed explanation of the circumstances of the data leak, but was ignored.

Data leak includes minimal information, but potentially devastating for KakaoTalk users

For those outside of South Korea, the amount of the privacy fine might initially seem out of line with the very limited amount of user information that was exposed. However, KakaoTalk is somewhat unique in that it is a market-leading messaging app that stresses anonymity. Users are identified only by a unique ad hoc ID number assigned to them. Thus the data leak could be devastating for some of those impacted, and is comparable to the uproar caused by GlassDoor suddenly and unexpectedly adding the full names of users and other personal details to their public profiles in March.

Kakao maintains that the user serial numbers did not need to be encrypted as it is not possible to connect them to these ad hoc display IDs generated for each session. The company claims that the personal information connected to the serial numbers in the data leak was taken from some other source. The PIPC clearly did not believe this story given the substantial amount of the privacy fine. Kakao has threatened to challenge the decision in court.

This and the previous record-setting privacy fine are covered under the rules of the updated Personal Information Protection Act (PIPA), the new terms of which just began going into force in September 2023. PIPA has seen a series of updates aimed in no small part at maintaining parity with the EU’S GDPR, which has earned South Korea status as a trusted “adequate” data partner with the bloc for international transfers of personal information.

Many key PIPA amendments just went active on March 15 of this year. Data subjects were furnished with the right to request an explanation of decisions made by “fully automated” systems, with  organizations obligated to demonstrate that there is no significant impact on the rights or obligations of a data subject if a human being is not involved in the decision. Fully automated systems are also now subject to new transparency requirements, and data processors are obligated to explain the basis for decisions and the process by which they are made upon request from an impacted data subject.

The qualifications for the country’s CPOs were also strengthened, at least for those organizations that process sensitive personal information or a significant quantity of less sensitive data of this nature. CPOs in these positions are now required to have a minimum of four years of relevant experience, and those already working have been given until mid-March of 2026 to meet the requirement under a transitional provision.

In addition to the groundbreaking privacy fines issued to Golfzon and Kakao for their data leaks, four other businesses in the country have been issued smaller penalties since the start of May. The PIPA fine structure was revised in March 2023 and now allows for up to 3% of a company’s total sales, with compounding effects for repeated violations found to be intentional in nature.