The Personal Information Protection Commission (PIPC) of South Korea has imposed a fine on Kakao Corporation, amounting to 15.14 billion KRW ($11.5 million USD), for a data breach affecting users of its open chatting service.
Kakao Corporation is a major South Korean internet company best known for its flagship messaging app, KakaoTalk, used by millions across the world for text messaging, voice and video calls, and media sharing. One of its prominent features is the open chatting service, which allows users to join chat rooms on various topics without revealing their personal information.
Exposure details
The PIPC initiated an investigation after a March 2023 media report revealed the illegal trading of personal information belonging to users of KakaoTalk’s open chatting service. The investigation uncovered that hackers had exploited vulnerabilities in the system to access user information. They then combined these details with data obtained through KakaoTalk’s friend addition feature and other illegal programs, ultimately creating and selling files based on user serial numbers.
One of the critical findings of the investigation was the violation of security measures by Kakao. Despite promoting the open chatting service as anonymous, Kakao used the same member serial numbers for both general and open chats, compromising user anonymity.
PIPC
Additionally, open chats created before August 2020 did not encrypt temporary IDs, making it easy for attackers to derive member serial numbers. Even after August 2020, although temporary IDs were encrypted, a vulnerability allowed the decryption and exposure of these IDs when entered into the open chat bulletin board.
The investigation also highlighted Kakao’s inadequate review and improvement of the existing security measures, failing to address the highlighted issues despite multiple warnings from the developer community about the risks of extracting user information through the analysis of KakaoTalk’s transmission methods.
Finally, PIPC says that Kakao failed to report the data breach or notify the affected users, violating personal information protection laws. This non-compliance persisted even after the company became aware of the fact that user information was circulated online through media reports, and later, the PIPC’s investigation.
In response to these findings, the PIPC has imposed a fine of 15.14 billion KRW for security measure violations and an additional 7.8 million KRW penalty for failing to notify the data breach, which corresponds to roughly $11.5 million. Kakao is also required to notify the affected users about the data breach and announce the results of these measures on the PIPC’s website.