Republic of Korea: Issued ruling in PIPC investigation into Kakao Co. regarding alleged violations of personal information protection regulations

On 23 May 2024, the Personal Information Protection Commission (PIPC) issued a ruling following its investigation into Kakao Corp. regarding alleged violations of personal information protection regulations. The PIPC imposed a fine of KRW 15.1 billion and a penalty of KRW 7.8 million. Additionally, corrective orders and public disclosure of the results were mandated. The investigation was opened following media reports in March of the previous year that personal information of KakaoTalk open chat users was being illegally traded. The PIPC's investigation determined that hackers had exploited vulnerabilities in the open chat rooms to obtain participant information. They used KakaoTalk's friend addition feature and illegal programmes to collect user information, which they then combined based on “user sequence numbers” to create and sell personal information files. Furthermore, despite recognising the leakage of KakaoTalk open chat user information during media reports and the PIPC investigation in March 2023, Kakao Corp. failed to report the leakage and notify users, thereby violating the personal information protection law.