Key Takeaways
- LKB is seeking 1 million won per plaintiff, roughly 10 times the typical Korean data-breach award, arguing matchmaking data demands a higher standard.
- Duo’s breach exposed marriage histories, grounds for divorce, religion, and resident registration numbers — categorically worse than typical app data leaks.
- The dating industry’s push toward stricter verification is creating exactly the data concentration the Duo case is now testing in court.
Your name. Your contact information. The age at which you first married and the duration of that marriage. Why the marriage ended. The name of your former spouse. Number of children. Religious affiliation.
Your resident registration number, which is essentially equivalent to a Social Security number and includes an embedded date of birth and sex.
This is the type of information that a careful matchmaker accumulates over several months. And it’s the kind of information that can be lost in a few hours by an employee’s inadvertent action.
That's what happened at Duo, one of Korea's largest matchmaking companies. The personal information of 420,464 members was lost when a Duo employee's work computer was hacked in 2025. The Korean Personal Information Protection Commission imposed a fine of 1.197 billion won on the company.
Duo is now being sued in the first class action lawsuit involving a breach of information by a matchmaking company. The damages requested by plaintiffs are substantially greater than is typical for Korea.
This is particularly important for an industry that has recently invested heavily in increased verification measures to overcome online swiping fatigue.
Compensatory Damages Sought Far Exceed Korea's Norm
The law firm LKB has filed two complaints in the Seoul Central District Court naming 501 plaintiffs and seeking compensation of 1 million won (approximately $720) per plaintiff. This appears to be a relatively modest amount for compensation compared with amounts requested in U.S. lawsuits.
It is more than the typical damages awarded for breaches of information by other types of commercial enterprises in Korea, which generally run between 100,000 and 300,000 won (roughly $72 to $216).
The reason for the higher damages is that information held by a matchmaking company is substantially more sensitive than information obtained by other electronic commerce, and appropriate standards of responsibility should apply.
"Given the sensitivity of the information held by a matchmaking company, its responsibility cannot be taken lightly," attorney Jung Tae-won said. He added that the lawsuit was filed in part with the hope that it "will serve as an opportunity to raise awareness about the importance of personal data protection."
The argument is that Matchmaking companies are holding on to something potentially more damaging than they imagine, and a Korean court is about to put a price on that risk for the first time.
Why This Data Is Categorically Worse
What does a typical breach of an online application expose? Emails, telephone numbers, encrypted passwords, a few photographs and perhaps some records of electronic conversations — not pleasant, but certainly manageable.
An information breach at a matchmaking company would reveal the kind of data you would provide to a human matchmaker helping you find a partner.
In the Duo case, this included information on previous marriages, the grounds for divorce, length of prior marriages, names of ex-spouses, number of children, religious beliefs, and resident registration record details.
"The gravity of the harm is significant given that private information closely tied to personal life, held by a matchmaking company, was leaked," the firm wrote in its filing, justifying the higher damages ask.
The Industry Spent Two Years Asking for More Data
For most of the past two years, the prevailing theme of the industry has been that what consumers really want — and will continue to pay for — is verification: verified profiles, screened matches, photographs of real human subjects, and matchmaking systems capable of "knowing" the consumer.
This included the experimental use of iris scans by Tinder, a major reorientation toward high quality standards by Bumble, and an explosive worldwide demand for human-screened matchmaking services.
All of these developments were based on the assumption that consumers would be willing to provide more information in exchange for substantially reduced risks of encountering fraudulent or deceptive activities.
Korean precedent vs the Duo class action ask
Per-plaintiff damages
The world is sick of bots, ghosts, and catfish, and a more complete profile provides less surface for liars to exploit.
The Duo experience illustrates the tradeoff behind that model. The more detailed a service's user profile becomes, the greater the damage from a single security breach — and the greater the legal and financial exposure.
This isn't theoretical, and Korea is certainly not the first to confront these problems.
Bloomberg reported on the breach of Japan's Omiai dating service in 2021. TechCrunch described the exposure of data from the Raw dating app last May, and the FTC resolved its enforcement action against Match Group for the company's handling of facial-recognition technology earlier this year.
What makes Duo's situation different is that none of these cases involved the highly curated profiles characteristic of a matchmaking service. Duo may become an early test of whether courts and regulators assign greater damages to breaches that involve highly intimate matchmaking data
Warnings From Industry Security Pros Went Unheeded
This will be particularly important as dating and matchmaking services adopt stricter identity-verification systems. The experience with Duo isn't a prescription for what needs to be fixed, but rather a statement of the cost of maintaining sensitive personal data.
For more than a year, data protection consultants have urged platforms to implement stronger safeguards, including stored data encryption, separate storage for identification numbers, and tightly restricted employee access to the systems containing the most sensitive user data.
But the industry has shown little urgency in adopting those safeguards. Korea's Personal Information Protection Commission concluded that Duo's preventative measures failed to meet required standards.
Another important issue is how insurers assess the risks associated with large matchmaking services. Insurers continue to price these risks with little precision and excessive optimism, similar to how they assessed hospital cybersecurity risks a decade ago.
The Duo case could become a standard for assessing the financial risks associated with breaches of highly sensitive matchmaking data.
The Trade-Off the Industry Has Been Avoiding
All three pressures are unfolding simultaneously, and for some operators the economics may no longer work.
Duo isn't a small company with limited resources, but the country's largest matchmaker able to fund a serious security program. If a landmark class-action lawsuit and 1.197 billion won are the cost to the country's largest matchmaker, smaller competitors may struggle to absorb similar risks.
The industry argues that richer data produces better matches, and that may well be true. But it also increases the cost of security breaches beyond that of basic email and password leaks. Korea has just quantified the difference.