Last year, Kakao received a penalty surcharge of 10 billion won due to personal information leaks, and it was found to have reduced its investment in information security compared to the previous year. In contrast, Naver, which experienced a personal information leak incident involving its affiliate Japan's LINE through a hacking incident at its subsidiary Naver Cloud during the same period, increased its investment in information security.
According to the Korea Internet & Security Agency (KISA) and the industry on the 15th, Kakao’s investment in information security last year was about 24.6 billion won, a 3.9% decrease from the previous year (approximately 25.6 billion won). Kakao was fined a penalty surcharge of 15.1 billion won by the Personal Information Protection Commission in 2023 due to a personal information leak issue concerning open chat rooms (anonymous group chats).
In contrast, Naver's investment in information security last year was about 55.2 billion won, a 32.6% increase compared to the previous year (41.6 billion won). The industry reports that Naver actively increased its investment in information security in response to the aftermath of the leakage of 510,000 customer information records from its affiliate LINE in Japan through a hacking incident at Naver Cloud. Naver Cloud's investment in information security also increased from 29.7 billion won in 2023 to 33.3 billion won last year, a roughly 12% rise.
The contrasting expenditures on information security investment by the two companies indicate a difference in perspective regarding personal information leak incidents, according to the industry. While Naver acknowledged the LINE hacking incident that occurred in 2023 and actively increased its investment in information security to prevent recurrence, Kakao argued in court that what was exposed were merely random combinations of numbers. They contended that since no personal information was leaked, the penalty surcharge imposed by the Personal Information Protection Commission was invalid. The Seoul Administrative Court also granted Kakao's request for a suspension of the penalty surcharge order last November, meaning that the enforcement of the penalty surcharge is halted until the ruling on its nullity is finalized.
An IT industry official noted, "While Naver is finding ways to increase its investment in information security to resolve the problem, it seems that Kakao is focusing on litigation to avoid paying penalty surcharges and is neglecting to increase its investment in information security."
The proportion of investment in information security relative to total IT investment (hereafter referred to as information security investment ratio) increased for Naver from 3.66% in 2023 to 4.5% in 2024, a rise of 0.84 percentage points (P). However, Kakao's ratio decreased from 3.86% in 2023 to 3.5% in 2024, a drop of 0.36 P. The information security investment ratio indicates whether a corporation allocates sufficient resources to information security in proportion to its expenses on information technology.
This is inconsistent with Kakao's management policy, which has emphasized security enhancement alongside advancements in artificial intelligence (AI) technology. Chung Shina, CEO of Kakao, stated in the '2024 Kakao's Promises and Responsibilities' ESG report published last month, "We deeply recognize the importance of personal information protection and data security in the process of enhancing AI-based services, and we have strengthened the systems to manage them."
Regarding the reduction in information security investment last year, Kakao explained, "The 2023 figure included one-time security costs associated with the establishment of the Ansan Data Center, but last year, as those one-time equipment costs were resolved, the investment in information security slightly decreased." However, security experts argue that if the investment in information technology increased, it should have been natural for the investment in information security to also increase. Kakao raised its investment in information technology by 44.9 billion won last year but decreased its investment in information security by 1 billion won. In contrast, Naver increased its investment in information technology by 99.9 billion won while also raising its investment in information security by 13.6 billion won.
Professor Jang Hang-bae of Chung-Ang University’s Department of Industrial Security stated, "The difference in perspective regarding personal information leak incidents between Naver and Kakao has led to contrasting results in their expenditures on information security investment," adding, "Kakao's decision to increase its investment in information technology last year while actually reducing its investment in information security reveals its passive approach to security investment."