South Korea’s Personal Information Protection Commission fined marriage brokerage service Duo 1.197 billion won (about £600,000) plus an administrative penalty after a January 2025 breach exposed the personal data of 427,464 members. An infostealer on an employee’s work PC stole database credentials, allowing the attacker to exfiltrate sensitive member information and publish it on the dark web, with regulators citing failures to encrypt resident registration numbers and passwords, improper data retention, and delayed reporting. #Duo #PersonalInformationProtectionCommission
Keypoints
- PIPC imposed a 1.197 billion won fine and a 13.2 million won administrative penalty on Duo for the data breach.
- An infostealer on an employee workstation led to stolen database credentials and the exfiltration of 427,464 members’ records to the dark web.
- Exposed data included login IDs, passwords, resident registration numbers, names, birthdates, contact details, physical traits, education, and financial information.
- Regulators found failures to encrypt resident registration numbers and passwords, insufficient access controls, unlawful collection of RRNs, and failure to delete 298,556 expired records.
- PIPC ordered Duo to notify affected members, publish breach details, strengthen security measures, and Duo has apologized, deleted RRNs, and pledged corrective actions.