According to sources, it has been discovered that the IDs and encrypted passwords of 430,000 members of the matchmaking company Duo Information have been leaked. The data was stolen when a hacker infected an employee’s work PC with malware and extracted the membership database.
On the 23rd, the Personal Information Protection Commission reported that in January of the previous year, the work PC of an employee handling personal information at Duo was hacked, leading to the leak of personal information for 427,464 registered members. The leaked information included usernames and encrypted passwords, names, birthdates, encrypted resident registration numbers, personal addresses, height, weight, blood type, religion, hobbies, marital history (first marriage/remarriage), sibling relationships, eldest son/daughter status, school names, majors, admission years, graduation years, school locations, employment dates, and company names.
Duo Information did not implement restrictions such as limiting access after multiple failed authentication attempts when accessing the member database containing registered members’ personal information. They also violated security measures by applying insecure encryption algorithms to resident registration numbers and passwords. Furthermore, they collected and stored resident registration numbers during the membership registration process without a separate legal basis and failed to destroy 298,566 records of registered members’ information after the retention period listed in their privacy policy (five years) had passed.
After confirming the information leak, Duo Information delayed reporting the breach by 72 hours without a valid reason. Despite the nature of matchmaking companies, which involves collecting a substantial amount of sensitive data including personal information, education, religion, and workplace, they failed to notify the data subjects of the breach, leaving them vulnerable to secondary damages.
As a result, the Personal Information Protection Commission imposed a fine of 1.197 billion KRW and a penalty of 13.2 million KRW on Duo Information. They also ordered Duo to promptly notify individual data subjects of the breach in accordance with Article 34(1) of the Personal Information Protection Act and to strengthen security measures to prevent the recurrence of information leakage incidents.
Additionally, they mandated a review of the personal information processing procedures to ensure only the minimum necessary information for service provision is collected and required the establishment of clear guidelines for information disposal. Duo was also instructed to announce the imposed penalties on their website.