Hackers shift to high-value data as rules lag behind

Apr 27, 2026, 10:39 am

print page small font big font

facebook share

tweet share

A directory sign is displayed at the headquarters of matchmaking company Duo in Yeoksam-dong, Gangnam, Seoul. /Yonhap

Hackers are increasingly targeting high-value personal data rather than sheer volume, but government regulations still focus primarily on the scale of breaches, raising concerns over gaps in cybersecurity policy.

A recent case involving Duo highlighted the issue, as sensitive personal data of more than 420,000 members was leaked due to weak security management.

According to the Personal Information Protection Commission, personal data of 427,464 registered members was compromised in January last year. The leaked data included not only names and resident registration numbers but also highly sensitive details such as physical characteristics, employment information, bank balances, and real estate holdings—totaling at least 24 categories of personal data.

Given the nature of matchmaking services, the breach effectively exposed what experts describe as “life-level data,” raising concerns about potential secondary damages.

Investigations revealed multiple security flaws. The company had no limit on failed login attempts for employee accounts, allowing hackers to deploy malware and gain access to database server credentials. It also failed to use secure encryption algorithms recommended by government guidelines.

Additionally, data exceeding the legal retention period of five years was not deleted, meaning even former members’ information was leaked.

Experts say the incident underscores the risks of leaving large-scale personal data protection entirely to private companies.

Despite the severity of the breach, penalties were relatively limited. The fine imposed on the company amounted to about 1.2 billion won, calculated at roughly 3,000 won per leaked record—based largely on company size and the number of cases rather than the sensitivity of the data.

This approach raises concerns that companies may weigh the cost of investing in security against potential penalties, potentially undermining proactive protection efforts.

Furthermore, government investigations can only begin after companies report breaches themselves, creating incentives for some firms to delay reporting or quietly replace compromised systems.

While cybersecurity oversight has been strengthened in sectors such as telecommunications and finance, experts warn that hackers are now shifting toward niche industries with weaker defenses but more sensitive data.

The government introduced a comprehensive cybersecurity strategy last October, allowing authorities to launch investigations based on suspected hacking incidents and leverage the National Intelligence Service’s defense capabilities.

However, questions remain about how far government intervention can extend into private-sector data management without raising concerns over surveillance.

Security experts argue that policy should move beyond quantity-based standards and incorporate the “quality” or sensitivity of data.

“One must reconsider a system where companies are only held accountable after incidents through fines, while the government remains largely passive beforehand,” a cybersecurity expert said.
#data breach #personal information #cybersecurity #Duo matchmaking #hackers 
Copyright by Asiatoday