Kakao, parent company of popular messaging app KakaoTalk, is the recipient of a record-setting privacy fine only weeks after the previous record was established. New terms and amendments that have been gradually going into force since late last year are starting to make data leaks expensive for companies operating in South Korea, as the fine record is now up to KRW 15.1 billion (about $11.1 million).
KakaoTalk data leak identified anonymous users
The KakaoTalk data leak might seem relatively trivial at first glance. A little over 65,700 users were impacted, but only appear to have had the unique serial number used to identify them exposed to the hackers (due to an exploitable bug). KakaoTalk is South Korea’s most widely used messaging app, however, and has become popular due to its anonymity. Users are identified only by an ad hoc identifier number that is created for each session. But their serial number is permanent, and could be used to identify them if tied to the temporary identifiers.
Kakao’s argument has been that the serial numbers did not need to be encrypted, as hackers could not tie them to the ad hoc identifiers or user personal identifiers in any way. But personal information for sale on a private Telegram channel indicates that the data leak provided them with just that. And South Korea’s privacy regulator, the PIPC, clearly agreed that these two things were directly connected in assessing the very large privacy fine.
Such a large penalty coming just weeks after a prior record-setting privacy fine demonstrates that the regulator is making aggressive use of the new amendments and rules in force of the Personal Information Protection Act (PIPA), the country’s data privacy law that saw a massive update in late 2023. The latest developments include tighter regulations for fully automated and AI systems that make decisions without human input, as well as tougher hiring standards for CEOs of firms that hire substantial amounts of personal data. But the headline thus far has been a bit of a privacy fine spree that has seen record-setting amounts and a total of six substantial penalties handed out in roughly the last month.
Privacy fine more than double previous record-setter handed out in early May
Golf screen company Golfzon had been the recipient of the previous record-setting privacy fine at KRW 7.5 billion (about $5.5 million), and that was at the beginning of May. That stemmed from a November 2023 ransomware attack that involved the exposure of over 2.1 million customer records. A follow-up investigation found that the company had been improperly storing much of this personal information on file servers.
Kakao’s internal security was similarly found wanting by the PIPC’s investigation. The company claims to have contacted the agency with a detailed explanation of the data leak, but was ignored. The agency justified the privacy fine in part with its findings of endemic security issues in how stored data was processed and monitored.
PIPA’s fine structure was revised a little over a year ago and allows for up to 3% of an organization’s total revenue, with added penalties for repeat violations that the PIPC finds intentional.