The Personal Information Protection Commission held its seventh plenary meeting on April 22 and decided to impose a total of 4.79 billion won in penalty surcharges and 17.4 million won in administrative fines on 3 companies that violated personal data protection rules. It also approved corrective measures and orders to publicise the sanctions.

The companies punished were KS Korea Employment Information, Duo Information and Geumneung Park Cemetery. All three suffered personal data leaks after neglecting security measures for their personal information processing systems and processed resident registration numbers without legal grounds.

According to the commission, a hacker obtained administrator account credentials for KS Korea Employment Information's personal information processing system. On April 15, 2025, the hacker accessed the administrator page and downloaded and leaked personal data on 40,875 people, including counsellors, headquarters staff and job applicants (trainees).

The leaked information included resident registration copies, copies of identification, copies of bankbooks and family relation certificates submitted by KS Korea Employment counsellors and staff during hiring and employment. It included not only the individuals' own information but also a large amount of family members' personal data.

The hacker later posted the leaked information on the dark web and attempted to trade the database in its possession. The investigation found that KS Korea Employment operated general HR management functions and call centre operations functions on the personal information processing system but did not restrict access permissions by IP address. It also did not apply secure access or authentication methods, allowing unrestricted external access using only an ID and password.

The commission imposed a penalty surcharge of 3.54 billion won and an administrative fine of 4.2 million won on KS Korea Employment. It ordered the company to regularly check access logs and personal data download activity for its personal information processing system, and to establish and operate guidelines on personal data destruction.

Duo Information, a marriage information company, was fined a penalty surcharge of 1.2 billion won and an administrative fine of 13.2 million won over a hacking incident that leaked personal data for all full members.

A hacker infected a work PC used by a Duo Information employee that was connected to the internet in January 2025 with malware. After obtaining DB server account information, the hacker accessed the member database server and downloaded and leaked personal data on all 427,464 full members.

The investigation found that Duo Information did not set measures such as access restrictions when authentication failed more than a certain number of times when accessing the member DB storing full members' personal data. It also applied unsafe encryption algorithms to resident registration numbers and passwords, confirming violations of required data security measures.

It also found that the company collected and stored resident registration numbers when members signed up without separate legal grounds. Duo Information also failed to destroy 298,566 cases of full member information after the retention period stated in its privacy policy of 5 years had passed.

The investigation found that Duo Information delayed filing a leakage report after 72 hours without a valid reason even after confirming the breach. It also found that, given the nature of marriage brokerage companies, it collects large amounts of sensitive information reflecting a person's life and tendencies, including education, religion and workplace, in addition to basic personal data of prospective spouses. Despite the leak, the company has still not notified data subjects of the breach, showing negligence in responding to prevent secondary harm.

Geumneung Park Cemetery suffered an incident in which personal data on 5,373 users, including names, resident registration numbers and mobile phone numbers, were leaked in a hacker attack that exploited a parameter tampering vulnerability on its website's maintenance fee lookup and payment page.

The investigation found that Geumneung Park Cemetery neglected checks and measures for the parameter tampering vulnerability on its website. It was also found to have violated required protection measures by not applying encrypted communications when transmitting personal data over the internet and storing resident registration numbers in plain text.

The commission imposed a penalty surcharge of 54.2 million won on Geumneung Park Cemetery. It ordered corrective measures to strengthen its personal data security management system, including vulnerability checks of its personal information processing system and encryption, to prevent a recurrence.