Kakao fined 15.1 billion gained for ‘private data leak’ – the biggest ever high quality… Kakao “Reviewing administrative litigation, and so forth.”

The Private Data Safety Fee discovered that the private data of no less than 65,000 KakaoTalk customers was leaked and imposed a high quality of 15.1 billion gained, the biggest ever, on Kakao.

In response to the Private Data Fee on the twenty third, it was confirmed that non-public data of KakaoTalk customers that had been leaked to hackers, together with names and cell phone numbers, was offered available on the market. The Private Data Fee decided that Kakao violated the Private Data Safety Act by neglecting private data administration and supervision and failing to meet its obligations, corresponding to notification of leaks, and determined to impose a high quality of 15.14196 billion gained and a high quality of seven.8 million gained. Kakao mentioned it “can’t be accepted” and introduced a robust response coverage, together with an administrative lawsuit.

● Used for leaked private data, sending spam textual content messages, and so forth.

The Private Data Committee introduced that it had selected this matter at a common assembly held the day prior to this. In March final 12 months, the Private Data Fee started an investigation into whether or not the private data of KakaoTalk open chat customers was being illegally traded and appeared into whether or not the Private Data Safety Act was violated. On account of the investigation, it was found that the hacker had considered no less than 65,719 items of private data by KakaoTalk, and that the private data leaked to the hacker was offered on Telegram and used to ship spam textual content messages.

In response to the Private Data Commissioner’s Workplace, the hacker took benefit of a vulnerability in KakaoTalk’s open chat room to acquire data (short-term ID/ID) of customers who participated there. The final digit of the short-term ID accommodates the member serial quantity, which is a singular quantity assigned to a person, like a resident registration quantity. The hacker used KakaoTalk’s buddy add perform and an unlawful hacking program to mix the 2 items of knowledge and recognized 5 varieties of private data, together with the consumer’s identify and cell phone quantity. Private data recordsdata have been created utilizing this data and offered illegally.

The Private Data Fee believes that the issue is that Kakao didn’t encrypt the consumer’s short-term ID throughout this course of, and a safety vulnerability occurred by linking the member serial quantity and the short-term ID. Kakao has encrypted the short-term IDs of open chat rooms since August 2020, however the short-term IDs of current open chat rooms haven’t been encrypted. As well as, builders in on-line communities have identified that “it’s potential to extract KakaoTalk consumer data by hacking applications,” but it surely was decided that Kakao had uncared for to assessment and enhance the potential for harm.

In the course of the investigation final 12 months, it was decided that Kakao violated the Private Data Safety Act by failing to report the leak and notify customers even after recognizing that the private data of KakaoTalk open chat customers was being leaked. The Private Data Fee issued a correction order to inform customers of the leak.

● Kakao “Actively contemplating authorized motion, together with administrative litigation”

In response to this, Kakao took a robust stance, saying that there have been variations from the information it had recognized and that it will contemplate authorized motion, corresponding to an administrative lawsuit. Kakao’s place is that non-public identification just isn’t potential with the knowledge raised by the Private Data Fee. Kakao mentioned in an announcement, “We actively made explanations to the Private Data Fee, however we’re very dissatisfied {that a} high quality was imposed,” and added, “We plan to actively assessment numerous measures and responses, together with administrative litigation.”

He continued, “Member serial numbers and short-term IDs are essential data for offering companies, together with messengers, and can’t be personally recognized,” and claimed, “Service serial numbers generated by enterprise operators usually are not topic to encryption below related legal guidelines.” In response to this, an official from the Private Data Fee countered, “We’ve totally heard Kakao’s place, however the choice is made by the Private Data Fee.” Heungryeol Yeom, a professor of knowledge safety at Soonchunhyang College, defined, “If we had identified that there was a vulnerability within the short-term ID, we wanted to take motion to stop it from giving a purpose for a secondary assault,” including, “It’s potential that the measures on this regard have been lax.”

Reporter Lee Chae-wan chaewani@donga.com
Reporter Nam Hye-jeong namduck2@donga.com