Attorney Jeong Tae-won, head of the class action center at law firm LKB Pyeongsan, described the personal data leak at the matchmaking company Duo this way in a May 22 interview. Jeong is currently representing victims in a class action over the Duo personal data leak. So far, two complaints have been filed naming 501 victims as plaintiffs, and additional suits are being prepared.

This case began in Jan. last year when a Duo employee's work PC was hacked. According to the Personal Information Protection Commission, 420,464 victims have been confirmed. The potentially leaked information included not only basic details such as name, age, and contact information but also sensitive private information such as marriage history, reasons for divorce, length of marriage, the former spouse's name, number of children, personality and disposition. The Personal Information Protection Commission determined that Duo neglected its duty to take safety measures and imposed a penalty surcharge of 1.197 billion won.

In this lawsuit, Attorney Jeong sought 1 million won per person in damages. He said, "In previous personal data leak cases, there are many instances where 100,000–300,000 won per person in consolation money was recognized, but in this case it is difficult to apply that standard as is." The reasons, he said, are that the leaked information is highly sensitive, data past the retention period was kept for a long time, and victims are actually reporting substantial anxiety and fear. The following is a Q&A with Jeong.

Attorney Jeong Tae-won of Law Firm LKB Pyeongsan. /Courtesy of Law Firm LKB Pyeongsan

—How many victims have expressed their intention to participate in the lawsuit so far?

"We filed complaints for a total of 501 victims in two rounds on May 6 and May 14. Since then, about 400 more victims have expressed their intention to join additional suits. As the number of victims who say they will participate continues to increase, it appears the litigation will expand into a third and fourth round."

—Are there victims who still do not know their personal information was leaked?

"Yes. There are a considerable number of potential victims who have not yet even confirmed whether they are victims. For example, someone who joined Duo 20 years ago using a now-defunct Yahoo Korea email, or who used a mobile number starting with 011. Some members were even told they must personally find a 20-year-old contract or sign-up documents to have the damage confirmed. This response is not appropriate. The company should establish separate procedures so that long-ago subscribers can also verify whether they were affected."

—What sets this case apart from other personal data leak incidents?

"The nature of the leaked information is different. In past personal data leaks, the issues often involved names, phone numbers, emails, addresses, and user IDs. Of course, that is also serious harm. But this time, the entirety of a person's private life is included, such as marriage history, divorce status, family relationships, religion, education, workplace, income level, physical information, photos, and self-introductions. This is not a simple contact information leak; in effect, an individual's marriage résumé and private life record were leaked in full."

—Why do you think the damage grew so large?

"Because information on members who had already withdrawn or used the service long ago was still retained. Personal information cannot be stored indefinitely on the grounds that 'it might be used later.' In this case, the hacking itself is a problem, but the damage grew because information that should not have been kept remained. In that respect, it is distinct from past cases."

—What do the victims participating in the lawsuit fear most?

"They are very concerned that the data could be misused for voice phishing, financial crimes, or illegal marketing. But the greater fear is not knowing where, by whom, and how private information such as their marriage history, family relationships, workplace, photos, and self-introductions will be used. In fact, some victims have said things to the effect of 'I feel like I was thrown naked into a public square' and 'It feels like someone is constantly watching me, and I'm anxious I may suffer additional harm for the rest of my life.'"

Duo headquarters in Yeoksam-dong, Gangnam-gu, Seoul. /Courtesy of Yonhap News

—Why set the compensation at 1 million won per person?

"In previous personal data leak cases, there are many instances where 100,000–300,000 won per person in consolation money was recognized. However, it is difficult to apply that standard as is to this case. There are three reasons. First, the leaked information is highly sensitive. Second, data past the retention period was stored for a long time. Third, victims are actually reporting considerable anxiety and fear. I do not see the claim of 1 million won per person as excessive. On the contrary, considering that this involves the leak of the most intimate information entrusted to a matchmaking company, compensation should be set much higher than in previous personal data leak cases."

—What factors does the court focus on when determining damages?

"The court does not look only at whether information was leaked. It considers comprehensively how sensitive the leaked information is, how serious the company's negligence was, the degree of mental suffering and anxiety the victims experienced, and the likelihood of secondary damage."

—Are there precedents worth referencing?

"In a case where counseling contents were distributed in seminar materials and booklets without consent, the court recognized 10 million won in consolation money. It found that the counseling included highly private information such as family relationships, dating tendencies, religious views, and personal concerns. In a case where a patient's personal and medical information was posted in an online open chat room, 1.5 million won was recognized, and in a case where an address learned through work was written in court documents without consent, 1 million won was recognized. Courts do not look only at whether personal information was leaked; they also weigh the sensitivity of the information, the circumstances of the leak, the possibility of third-party access, the company's negligence, the victim's mental suffering, and post-incident measures. That is why we do not view the claim of 1 million won per person as excessive."

—Other law firms are also preparing class actions. What should victims consider when choosing a law firm?

"They should look at three things. First, whether the firm understands this not as a simple personal data leak but as a case involving sensitive data and invasion of privacy. Second, the litigation strategy must be specific regarding the Personal Information Protection Commission's disposition, violations of safety obligations, failure to destroy data past the retention period, and delays in notification. Third, the communication system with victims is important. In class actions, what matters is not the number of participants but how faithfully the victims' anxiety and individual circumstances are reflected."

A notice about a personal information leak is posted on the Duo matchmaking company website. /Courtesy of News1

—What is needed to prevent recurring personal data leaks?

"There are five key points. Corporations should collect only the personal information they need. Data past the retention period must be deleted. Companies that handle sensitive information, such as matchmaking firms, hospitals, and financial companies, should be required to meet higher security obligations. When an incident occurs, victims must be informed quickly and specifically to prevent further harm. Finally, mechanisms are needed to ensure victims actually receive compensation. For personal information protection to function as an obligation for corporations rather than a choice, not only penalty surcharges but also victim compensation must be enforced effectively."

※ This article has been translated by AI. Share your feedback here.