(LEAD) Kakao fined record 15.1 bln won for leak of open chat users’ personal data


The privacy watchdog fined Kakao Corp., the operator of South Korea’s dominant mobile messenger, 15.1 billion won (US$11 million) Thursday for the leak of about 65,000 users’ personal data, the highest penalty ever imposed on a domestic firm.

The Personal Information Protection Commission (PIPC) approved the fine during its plenary meeting, concluding that Kakao’s lax user data scrutiny and protection measures led to the massive data leak.

The amount is more than twice the previous record fine of 7.5 billion won, which was imposed on Golfzon, a screen golf business, by the watchdog.

The PIPC launched an investigation into Kakao followed media reports in March last year that user information from the open chat service on KakaoTalk, the firm’s messenger app, was being illegally traded.

According to the findings, hackers exploited a lax data protection regime on the open chat service to steal participants’ personal information and put it up for sale.

The PIPC concluded that Kakao did not take the necessary
protection measure of encrypting users’ ad hoc IDs, allowing hackers to identify the serial number assigned to each user.

The fine also reflects Kakao’s failure to preemptively inspect and address the data leak after concerns were raised about a potential breach and its failure to report the case to the PIPC even after becoming aware of the incident.

A PIPC official said that the agency has confirmed hackers accessed the personal data of at least 65,710 users, adding the exact scope of the data leak is currently under investigation by the police.

Kakao, however, refuted the PIPC’s statement, claiming the ad hoc IDs do not contain any sort of personal information and are not subject to mandatory encryption under related laws.

The company also said that it immediately reported the case to the police and the science ministry upon acknowledging it, and has faithfully cooperated with the investigation.

Kakao said it will “actively” review various measures to respond to the PIPC’s decision, including filing an
administrative lawsuit.