On May 23, 2024, the Personal Information Protection Commission (PIPC) of South Korea announced a fine of 15.14 billion KRW (approximately 11,076,717 USD) and an additional fine of 7.8 million KRW (approximately 5,721 USD) against Kakao Corporation. Following an investigation into media reports from 2023, the PIPC accused Kakao of violating the Personal Information Protection Act (PIPA). This decision marks the largest fine ever imposed by the PIPC, more than double the previous highest fine of 7.5 billion KRW in the Golfzon case.
Case Background
Kakao, a company known for its anonymous chat services, operates an open chat service. In March 2023, media reports indicated that personal information of KakaoTalk open chat users was being illegally traded, prompting a PIPC investigation. PIPC found advertisements on a website selling the real names and phone numbers of KakaoTalk open chat users.
The investigation revealed that Kakao's user identification system uses a single membership number for each user, regardless of whether they are in regular chat mode or open chat mode. In open chat mode, users use a temporary ID, which is an identifier composed of the user's membership number and other information. However, for open chat rooms created before August 20, 2020, these temporary IDs were not encrypted, making it easy to trace the user's membership number from the temporary ID. Although the temporary IDs for open chat rooms created after August 2020 were encrypted, there was a vulnerability whereby entering the encrypted temporary ID on the open chat room's bulletin board would decrypt and display it in plain text. This linkage between temporary IDs and membership numbers compromised the anonymity of open chats and exposed personal information. Despite being aware of this vulnerability, Kakao did not report the breach or review and improve the privacy risks associated with exposed membership numbers. According to Nam Suk, the Director General responsible for the investigation, "We confirmed that the information of 696 open chat room users was posted on a specific website, and hackers obtained at least 65,719 personal information records."
Following the 2023 incident, Kakao encrypted all temporary IDs for open chat participants, but it was noted that user information could still be extracted by analyzing the publicly available API of KakaoTalk's transmission methods, and KakaoTalk had no effective countermeasures against such malicious attacks.
Enforcement Results
PIPC found Kakao in violation of PIPA Article 29, which mandates security measures, and Article 39-4 (1) (now Article 34), which requires breach notification. Consequently, Kakao was fined 15.14 billion KRW (approximately 11,076,717 USD) and 7.8 million KRW (approximately 5,721 USD), respectively. Additionally, PIPC ordered Kakao to notify users of the breach and decided to publish the sanction results on the Personal Information Protection Commission's website.
Security Measures Obligation
Article 29 of PIPA states: "Personal information controllers must take necessary technical, managerial, and physical measures, such as establishing internal management plans and maintaining access records, to ensure safety and prevent the loss, theft, leakage, falsification, alteration, or damage of personal information."
- In this case, Kakao's products used a single membership number for both regular and open chat modes, and the temporary IDs for open chat were not encrypted, compromising anonymity. According to this article, companies should prevent membership numbers from breaking anonymity by configuring a different identification system for open chat users or encrypting temporary IDs.
- After media reports, Kakao encrypted the temporary IDs, but a significant vulnerability remained, allowing user information extraction through the public API of KakaoTalk's transmission methods. Kakao failed to review and remedy this risk or adopt stricter encryption methods, resulting in user information exposure to hackers.
Information Leakage Notification Obligation
The original PIPA Article 39-4 (1) required information communication service providers to notify affected users and report to designated agencies immediately upon learning of personal information loss, theft, or leakage, and no later than 24 hours after becoming aware of the breach.
The March 23, 2023 media reports and the investigation by the Personal Information Commissioner revealed that KakaoTalk did not address the personal information leakage of open chat room users despite knowing about it. KakaoTalk violated PIPA's personal information leakage notification obligation by failing to report the breach and notify users.
Compliance Recommendations
Companies providing social, chat, communication products, and services must strictly control product design to fix and improve elements that might cause user information leaks. Companies offering anonymous services should strictly encrypt and hide identifiable information such as IDs, nicknames, and avatars to prevent linking anonymous mode IDs with regular mode user IDs. Companies should also establish internal management plans and maintain access records to prevent hacker attacks and promptly fix data protection vulnerabilities. If a breach compromising user anonymity occurs, companies must notify users immediately, report to relevant agencies, and take remedial measures.
Kaamel's Response
Kaamel remains at the forefront of privacy protection, firmly believing in a technology-driven approach to help enterprises identify and resolve privacy compliance risks. Our innovative Kaamel AI detection engine, backed by mainstream regulations and regulatory precedents, helps enterprises quickly and comprehensively identify their privacy compliance risks. Kaamel also provides a full range of privacy compliance solutions to help businesses effectively respond to regulatory and user demands, mitigate privacy risks and compliance issues, and build privacy trust in the international market.
