Home > Business > Industry

Victims of matchmaking company's data breach criticize fine as too lenient

Published: 24 Apr. 2026, 11:16

The logo of Duo, Korea's largest matchmaking company, is seen outside its headquarters in Gangnam District, southern Seoul, on April 23 [YONHAP]

Victims of a massive data leak by Korea’s largest matchmaking company, Duo, are criticizing the 1.2 billion won ($810,000) fine, arguing that the amount calculates to a mere 3,000 won per customer for the nearly 430,000 individuals affected.

During a plenary session earlier on Tuesday, the Personal Information Protection Commission (PIPC) decided to impose a fine of 1.197 billion won and an administrative penalty of 13.2 million won on Duo for leaking the personal data of 427,464 members. It also ordered the company to promptly notify affected members and disclose the disciplinary measures it received on its website.

The data breach occurred in January last year, when an employee’s work computer was hacked. The compromised data included at least 24 types of personal information, including names, residential addresses, email addresses, educational background and blood type.

Authorities found Duo’s security management to be inadequate, as it did not limit the number of failed authentication attempts when accessing the database, leaving it vulnerable to brute-force attacks. Additionally, the company employed weak encryption methods for members’ passwords and resident registration numbers.

After the PIPC’s decision was made public, people online argued that the level of sanctions does not match the scale of the breach. Many questioned whether the roughly 1.2 billion won fine should be higher, given the extent of the leak, and others pointed out that the amount translates to about 3,000 won per victim.

Under the current Personal Information Protection Act, fines for data breaches can be imposed at up to 3 percent of a company’s total revenue. In Duo’s case, the fine was calculated based on its average annual revenue over the past three years, which reportedly stood at 41.3 billion won, and was reduced further under mitigation provisions for small- and medium-sized enterprises. Meanwhile, the 13.2 million won administrative penalty was determined based on the company’s failure to oversee three obligations: destroying the data, reporting the incident and notifying affected customers.

An AI-generated image of a couple getting married [CHATGPT]

“Starting in September, when the punitive surcharge system takes effect, the cap on fines will be raised from 3 percent of [a company’s] total revenue to 10 percent in cases of repeated serious violations or large-scale data leaks,” a PIPC official said. The Duo case was subject to the previous standard because the breach occurred before the revised law took effect.

Duo issued an apology on its website, writing, “We sincerely bow our heads in apology for causing concern to members who have trusted and supported Duo.”

“We inform you that no damage has occurred to members who made inquiries or signed up after Jan. 28 last year,” the company continued. “We are thoroughly strengthening our security to prevent a recurrence of similar incidents.”

Duo said that, as of now, no secondary damage from the leak has been reported.

Gangnam District, which has jurisdiction over Duo, plans to conduct an on-site inspection next week. Depending on the investigation’s results, the company may face additional administrative measures, such as fines or a business suspension.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KIM MIN-WOOK [[email protected]]