Duo Info, South Korea's top matchmaking company, leaked the personal information of 430,000 members, authorities said. The leaked items went far beyond names and email addresses to include religion, hobbies, height, weight, education and remarriage history. Excluding income and asset information, virtually all of the members' personal details were exposed externally.
The Personal Information Protection Commission (PIPC) announced Wednesday that a work PC belonging to an employee handling personal information at Duo was hacked in December last year, leaking the personal data of 427,464 regular members.
The 24 leaked items included user ID, password, name, date of birth, resident registration number, gender, email, mobile phone number, address, height, weight, blood type, religion, hobbies, marital history, sibling relationships, whether the member is the eldest son or daughter, school name, major, academic records, workplace name and date of employment. This covers nearly everything except income and asset information, which Duo said it "does not store separately."
Multiple security flaws were also identified. Duo failed to implement measures to block access to its member database after a certain number of failed authentication attempts by hackers, and applied unsafe encryption algorithms to resident registration numbers and passwords. The company collected and stored resident registration numbers during regular membership registration without legal grounds, and did not destroy member information even after the five-year retention period specified in its privacy policy had expired. A total of 298,566 members whose data was leaked had their information retained in violation of the destruction obligation.
Despite the nature of the matchmaking business, which collects sensitive information revealing personal life details such as education, religion and workplace in addition to basic personal data, Duo failed to immediately notify affected members after becoming aware of the hack.
The PIPC imposed a fine of 1.197 billion won ($830,000) and an administrative penalty of 13.2 million won on Duo, and ordered the company to immediately notify members of the leak. The commission also ordered Duo to publish the details of the disposition on its website.
"Under the Marriage Brokerage Business Act, there is no explicit basis for domestic marriage brokerage businesses to collect resident registration numbers, but it was confirmed that Duo collected and leaked this information," said Lee Jung-eun, head of the PIPC's Investigation Division 2. "After recognizing the legal violation during the investigation, Duo has corrected its practice and now only collects dates of birth at the time of registration."
