Kakao, South Korea’s leading mobile messaging firm, faced a record $11.1 million (15.1 billion won) fine from the country’s privacy regulator for mishandling the personal data of more than 65,000 users.
In a press briefing held on May 23, the Personal Information Protection Commission (PIPC) announced that Kakao had been fined $11.1 million for violating the country’s privacy laws, citing a failure to adequately safeguard users’ information. The PIPC further noted that the company, boasting more than 85% of the country’s population as its users, also faced an additional fine of $5.7 thousand (7.8 million won) for neglecting to report the data breach to the commission and its clients.
According to the PIPC’s investigation, which commenced following local news reports in March of last year, a hacker exploited vulnerabilities in Kakao’s open chatrooms, gaining access to 65,719 instances of user data. A Kakao open chatroom is a specific Kakao service that allows users anonymous entry via a shared link without the need to add friends to join. The Commission refrained from disclosing the precise number of individuals impacted by the breach pending a police investigation. However, they clarified that the hacker potentially exposed significant data across more than 65,719 instances.
The messenger firm employed a user identification system based on serial numbers. This serial number was applied when the user was using a normal chatroom and open chatrooms. In the case of open chatrooms, the participants are assigned temporary identifications comprised of their serial numbers and the information of the open chatroom.
The PIPC explained that the attacker utilized a hacking program to obtain users’ names and phone numbers in normal chatrooms. Later, the attacker combined the data retrieved from the open chatroom and the normal chatroom and established a database of the users’ information.
The PIPC stated that KaKao did not securely protect their users’ data because the serial number was easily recognizable through temporary IDs, as they were not encrypted. Although the company encrypted the temporary ID after August 2020, the PIPC stated that it was still easily identifiable due to a vulnerability in the open chatrooms.
“The hacker attempted to illicitly trade the data on Telegram to anyone seeking information on specific individuals,” a spokesperson for the PIPC remarked during a press briefing. “Illegally traded information could result in secondary victimization. This is particularly concerning as users engage in open chatrooms aligned with their interests. For instance, in an investment-related open chatroom, users may receive unsolicited spam messages about investments.”
Meanwhile, Kakao has disputed the PIPC’s decision, asserting that they have not breached the country’s privacy laws. Local news outlets report that the company is exploring various courses of action, including potential legal challenges against the privacy regulator.