South Korea fines matchmaking service Duo £665,000 after breach exposing 420,000 members' data

In a significant regulatory action, South Korea’s Personal Information Protection Commission (PIPC) imposed a fine of 1.21 billion won, approximately £665,000, on Duo, a prominent matchmaking service. The decision follows an investigation into a data breach that exposed highly sensitive personal information. This incident highlights ongoing challenges for organizations managing vast quantities of user data.

Hackers gained unauthorized access to Duo’s primary database in January of the previous year, compromising personal data belonging to over 420,000 current and former members. The exposed information included sensitive details such as weight, blood type, marital history, mobile phone numbers, home addresses, university histories, and places of work. The PIPC identified Duo’s failure to implement adequate security measures to protect its membership database. Furthermore, the company demonstrated a slow response after the breach occurred. The investigation also revealed violations of data retention laws; Duo stored sensitive 13-digit national identification numbers and passwords, contrary to regulations. It also failed to delete the dormant data of nearly 300,000 former users, exceeding the five-year legal retention limit. Duo publicly apologized for the incident, accepting the regulator's findings and expressing deep regret for its failure to adequately protect member data.

The PIPC has mandated immediate corrective actions from Duo, requiring a comprehensive overhaul of its data protection systems and full disclosure of technical breach details to affected users. This incident underscores the severe financial and reputational consequences for organizations failing to secure personal data and comply with retention policies. Such exposed information carries risks for identity theft, targeted phishing, and social extortion. Defenders should implement robust access controls, encrypt sensitive data at rest and in transit, and conduct regular security audits. Crucially, organizations must enforce strict data retention policies, promptly deleting data no longer required, to minimize exposure. Proactive incident response plans and continuous monitoring are essential to detect and mitigate unauthorized access swiftly. Watch for how Duo implements these corrective actions and if this ruling sets a stronger precedent for data protection enforcement across South Korea.