South Korea has fined Duo, one of its most popular matchmaking firms, $815,000 after a major cyberattack exposed everything from blood types to the bedroom histories of nearly half a million singles.

The breach went far beyond routine contact details. According to authorities, the compromised data included not only basic personal details such as login credentials, names, dates of birth, resident registration numbers, phone numbers, and home addresses, but also sensitive data such as height, weight, blood type, religion, hobbies, marital history, family relationships, education, and workplace information.

The country’s Personal Information Protection Commission (PIPC) has imposed a fine of about $815,000 on Duo, citing serious lapses in how the company protected and managed user data.

The case underscores the country’s increasingly hard line on privacy violations. Authorities have stepped up scrutiny following a string of large-scale breaches, including the massive leak at e-commerce giant Coupang, where more than 33 million user accounts were exposed, one of the largest incidents in the country’s history.

That breach triggered public backlash and government probes, with officials explicitly blaming weak internal controls rather than sophisticated hacking techniques.

Crackdown gathers pace

In Duo’s case, investigators found that it had failed to implement adequate security safeguards to protect its membership database. For one, it did not limit the number of authentication failures to block attempts to access its databases.

Alarmingly, it also failed to use secure encryption mechanisms to safeguard the resident registration numbers, which it had no legal basis for collecting in the first place. Authorities also blamed Duo for breaching data retention rules by retaining outdated personal information, including identification numbers and passwords, for nearly 300,000 users well beyond the legally permitted five-year period.

Have thoughts about this topic? Others do, too. Join them in the discussion.

The regulator also criticized the company for failing to meet its obligation of reporting the leak within 72 hours without a justifiable reason.

The PIPC has ordered the company to strengthen its data protection systems and to change its registration process to collect only data relevant to its purposes. The platform has also been ordered to fully disclose details of the breach to affected users and on its website.

The enforcement action fits into a broader pattern of aggressive regulatory intervention as South Korea moves to tighten oversight of corporate data practices. Recently, lawmakers have moved to toughen penalties even further.

Amendments to South Korea’s Personal Information Protection Act now allow regulators to impose fines of up to 10% of a company’s total revenue in severe cases, marking a significant escalation in enforcement powers.

---

Unlock more exclusive Cybernews content on YouTube.