Security Incidents and Privacy Newsletter — 2026-04-27

1. Data Breach Incidents and Insights

Duo Data Leak Affecting 430,000 Users: Delayed Notification Controversy

The matchmaking agency Duo has been caught in a controversy after it was revealed that the personal data of 430,000 members was leaked. The compromised information includes not only names and phone numbers but also sensitive data such as height, weight, religion, and workplace names. According to Namuwiki, a staff member's work PC at Duo was hacked around January 2025, leading to the leak of data for 430,000 active members, as well as information from those who had already cancelled their memberships. Duo is currently facing backlash for allegedly failing to report the breach in a timely manner.

2 sources

donga.com

[단독]“쿠팡 같은 정보유출도 집단소송 대상”… 법무부, ‘수용’ 의견

donga.com

직장명·종교까지 싹…듀오 회원 43만명 개인정보 털렸다

New Hacking Group 'BlackFile' Targets Corporate Accounts via Call Center Impersonation

A new financially motivated hacking group known as 'BlackFile' has been identified conducting data theft and extortion attacks, primarily targeting the retail, hotel, and lodging industries since the beginning of this year. The group is deploying attacks by impersonating call center staff to hijack corporate accounts.

1 sources

dailysecu.com

해킹조직 블랙파일, 콜센터처럼 속여 기업 계정 탈취…유통·호텔업계 겨냥한 공격 확산 < 긴급속보 < 이슈 < 기사본문 - 데일리시큐

KFTC Takes Action Against 'Liability Exemption Clauses' in Platform Privacy Policies

Major platform companies like Coupang and Naver will no longer be able to use terms and conditions that unfairly exempt them from liability for damages in the event of a personal information breach. According to JoongAng Ilbo, the Korea Fair Trade Commission (KFTC) has been pushing for the correction of these exemption clauses following a presidential briefing prompted by the Coupang data breach late last year.

1 sources

joongang.co.kr

joongang.co.kr

2. Breach Incidents and Legal Implications

Discussion on Expanding Class Action Lawsuits: Sparked by the Coupang Incident

Following the massive data breach at Coupang (33.7 million customer records), there is growing momentum to expand the class action system—previously limited to the securities sector—to include personal information privacy cases. According to The Dong-A Ilbo, the Ministry of Justice has expressed its 'acceptance' of this expansion. While past attempts to expand the Class Action Act failed in the National Assembly due to concerns about potentially hindering corporate activity through frivolous lawsuits, the recent incident has reignited the push. For companies, this creates significant legal implications, as they could now face collective damages lawsuits for large-scale data breaches.

2 sources

donga.com

[단독]“쿠팡 같은 정보유출도 집단소송 대상”… 법무부, ‘수용’ 의견

donga.com

직장명·종교까지 싹…듀오 회원 43만명 개인정보 털렸다

Record-High Cyber Security Incidents in 2025: 'Basic Security' Failure to Blame

Cyber security incidents in South Korea reached a record high of 2,383 in 2025. Outsourcing Times analyzed that the essence of the security crisis lies not in advanced hacking techniques, but in the failure to implement basic security measures such as encryption, access control, and account management. This signals that companies failing to improve their compliance with security obligations will find it difficult to avoid legal consequences, including fines and damages.

1 sources

outsourcing.co.kr

outsourcing.co.kr

From the 2014 Card Company Crisis to 2026: The Evolution of Security Legislation

ZDNet Korea featured a column by Kang Eun-seong, a professor at the Division of Intelligent Information Security at Seoul Women's University, analyzing how the legislative environment has shifted since the 2014 credit card data breach that impacted 100 million records. The column highlights that governance has been significantly strengthened: the CEO is now explicitly defined as the final person responsible for privacy, and systems for the designation and notification of a Chief Privacy Officer (CPO) through board resolutions have been introduced. Companies are urged to take note, as the legal liability of management is now much more clearly defined.

3. Latest Status of Personal Information Protection Law (Must-read for CISO/CPOs)

① Amendment to Privacy Law Passed: Strengthening Obligations for Employers and CEOs (February 2026)

Following the passage of the amendment to the Personal Information Protection Act on February 12, 2026, business owners and representatives now have a legal obligation to effectively implement comprehensive management measures, including securing professional personnel and providing sufficient budget for privacy protection. This aims to strengthen preventive privacy activities by guaranteeing the practical roles and authority of CPOs.

② ISMS-P Certification Mandate: Effective July 1, 2027

According to the Law Times, amendments to the Personal Information Protection Act, the Information and Communications Network Act, and the Telecommunications Business Act now mandate ISMS-P certification for data controllers meeting criteria set by the Presidential Decree. Specific targets will be defined in the enforcement decree, and the mandate will take effect on July 1, 2027, allowing time for preparation and budget allocation. Companies should begin planning for their ISMS-P certification now.

③ KFTC Reforms and CISO/CPO Liability

As the KFTC pushes to reform the exemption clauses of major platforms like Coupang and Naver, it has become virtually impossible for companies to avoid liability for damages in the event of a breach through contract terms alone. This means that CISOs and CPOs may now face direct and tangible risks regarding liability for damages when a security incident occurs. CPOs must review their terms of service and proactively check response procedures (notification, victim alert, etc.) for security breaches.

This newsletter is based on publicly available sources and does not constitute legal advice. Please consult with an expert regarding specific legal matters.