Kakao slapped with record $11 mn privacy commission fine

[Photo by Yonhap]

South Korea’s platform giant Kakao Corp. was hit with a record fine of 15.1 billion won ($11 million) by the country’s privacy watchdog due to the company’s negligence in checking and protecting user information. The negligence led to a data breach in KakaoTalk’s open chat feature, which allows for anonymous communication.

The Personal Information Protection Commission (PIPC) held a plenary meeting on Thursday and decided to impose a fine of 15.1 billion won and an additional penalty of 7.8 million won on Kakao for violating personal information protection obligations by exposing vulnerabilities in the open chat rooms.

The fine on Kakao is more than double the previous highest fine of 7.5 billion won for Golfzon.

The investigation by the PIPC began in March 2023, following reports that KakaoTalk open chat users’ personal information was being illegally traded. Advertisements offering to extract the real names and phone numbers of participants in open chat rooms were found on a website that trades online marketing programs.

According to the PIPC, hackers found users’ temporary username in the open chat rooms, then used KakaoTalk’s “add friend” feature and illegal hacking programs to obtain their member serial number alongside other information. This data were combined to create personal information files which were then sold on platforms like Telegram.

“We confirmed that information of 696 open chat room users were posted on a specific site, and that hackers accessed at least 65,719 personal information records,” according Nam Suk, director-general for investigation and coordination at the PIPC.

The PIPC concluded that Kakao did not encrypt the temporary IDs of participants in the open chat service, making it easy to identify the member serial numbers, and the inclusion of regular chat member serial numbers in the temporary IDs was pointed out as a significant cause of the data hack.

Kakao also failed to thoroughly inspect and address the potential for personal information leaks even after various malicious activity methods using KakaoTalk’s application programming interface (API) surfaced in developer communities.

For its part, the company argued against the commission’s claim of violating safety measures by not encrypting temporary IDs. “The member serial number and temporary ID are numeric strings that do not contain any personal information and thus cannot be used to identify individuals,” it said. “The service serial numbers generated by the business operator are not subject to encryption under the relevant laws, so not encrypting them should not be considered a legal violation.” Kakao also clarified that it had encoded temporary IDs for operation and management since August 2020 and applied stronger encryption to open chat rooms created afterwards.

Regarding the sale of information combined with the member serial number by hackers, Kakao said that “the other information used was not leaked from our side.”

“It was independently collected by hackers through illegal means and should not be considered when judging our compliance,” it added.