In a landmark decision, the Personal Information Protection Commission (PIPC) slapped Kakao Corp. with a staggering fine of KRW 15 billion (about $11,076,717) on May 23, 2024. This hefty penalty, along with a KRW 7.8 million (approximately $5,721) fine, stems from Kakao's violation of the Personal Information Protection Act (PIPA), following a thorough investigation prompted by media reports.

The investigation, initiated back in March 2023, was triggered by alarming claims of Kakao users' personal data being unlawfully traded. PIPC's probe revealed disturbing findings: hackers exploited vulnerabilities within Kakao's platform to access information from participants in open chat rooms. This breached personal information was subsequently bundled and sold, sparking widespread concern.

Key to the investigation was Kakao's open chat service, which employed a user identification system using member serial numbers. Shockingly, certain chat rooms lacked encryption for temporary IDs, leaving them vulnerable to exploitation. Despite measures put in place post-August 2020 to encrypt IDs, a critical flaw allowed for encryption deactivation, rendering temporary IDs accessible in plain text.

PIPC's ruling underscored Kakao's neglect of safety protocols mandated by Section 29 of PIPA. Despite being aware of vulnerabilities within its chat feature, Kakao failed to take corrective action, leaving personal information at risk. Furthermore, Kakao's negligence extended to its failure to report leaks, a requirement outlined in Section 39-4(1) of PIPA, even amidst media reports and PIPC's investigation confirming such breaches.

As part of the ruling, Kakao is not only facing substantial fines but also a corrective order, compelling the company to inform users of the breach and disclose the investigation findings on the PIPC website. This decision marks a significant development in the realm of data protection and underscores the importance of stringent adherence to privacy laws in the digital age.

Find the press release, accessible only in Korean, right here.