Temporary IDs Used Without Encryption
Personal Information Commission "Investigating the Scale of Leakage"
The Personal Information Protection Commission (PIPC) has held Kakao responsible for the personal information leak incident in KakaoTalk Open Chat rooms and decided to impose a fine of 15.1 billion KRW, the largest ever imposed on a domestic company. Previously, the screen golf company Golfzon was fined approximately 7.5 billion KRW for leaking personal information of 2.21 million people.
On the 22nd, the PIPC held a plenary meeting and announced on the 23rd that it had resolved to impose a fine of 15.1 billion KRW and a penalty of 7.8 million KRW on Kakao for violating the Personal Information Protection Act. In addition, it ordered Kakao to notify users of the leak and decided to publish the disciplinary results on the PIPC website.
The PIPC has been investigating whether Kakao violated the Personal Information Protection Act following reports in March that personal information of KakaoTalk Open Chat users was being illegally traded.
The investigation revealed that Kakao operated Open Chat rooms that claimed anonymity but created temporary IDs by simply linking member serial numbers used in general chats with Open Chat room information, and used these without encryption.
From August 2020, encryption was applied to temporary IDs, but some Open Chat rooms created before that did not receive this measure. Even when posts were made using encrypted temporary IDs in previously created Open Chat rooms, it was found that encryption was not properly applied.
According to the PIPC, hackers exploited this vulnerability to obtain temporary IDs and member serial numbers, and combined the member serial numbers with other information to sell them.
A PIPC official stated, "The exact scale of the leak is currently under police investigation," adding, "We confirmed that information of about 696 KakaoTalk Open Chat users was posted on a specific site, and through log analysis, we verified that the hacker accessed at least 65,719 cases."
They further added, "Considering posts on Telegram and other platforms where hackers offered user information in exchange for revealing specific Open Chat rooms, we concluded that a significant amount of information was leaked."
Kakao had already disclosed illegal methods using KakaoTalk application programming interfaces (APIs) through developer communities, but it was revealed that they failed to properly inspect and take measures against the possibility of personal information leaks.
Moreover, although Kakao recognized in March last year that personal information of KakaoTalk Open Chat users was being leaked, it was also found that they did not report the leak or notify users.
The PIPC stated, "For services like KakaoTalk used by the majority of the population, continuous efforts are needed to inspect and improve security vulnerabilities and to verify the possibility of personal information infringement during the design and development processes."
Meanwhile, Kakao has expressed its intention to actively consider responses such as administrative lawsuits, claiming the PIPC's decision is unfair. Kakao explained, "Member serial numbers and temporary IDs are strings composed of numbers and do not contain any personal information by themselves, making individual identification impossible. Since they are not subject to encryption under relevant laws, failure to encrypt them should not be considered a violation of the law."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
