All appeals are dismissed.

The costs of appeal are assessed against the Defendants.

The grounds of appeal are examined.

1. As to the ground of appeal No. 1 by Defendant Kvier Card Co., Ltd. (hereinafter “Defendant National Card”)

A. For the following reasons, the lower court determined that the Defendant’s card was liable for the damages suffered by the Plaintiffs due to the instant accidents involving the divulgence of customer information pursuant to Article 750 of the Civil Act and Article 39 of the former Personal Information Protection Act (amended by Act No. 13423, Jul. 24, 2015; hereinafter “Personal Information Protection Act”) as the personal information manager violated the legal obligations that the personal information manager should comply with for the protection of personal information, thereby providing the causes of accidents involving the divulgence of customer information included in the Plaintiffs’ personal information.

The Defendant’s national card is a personal information manager prescribed by the Personal Information Protection Act or an electronic financial business operator prescribed by the former Electronic Financial Transactions Act (amended by Act No. 11814, May 22, 2013), and is obligated to take necessary measures to ensure the safety of personal information or to protect user information as prescribed by relevant Acts and subordinate statutes, such as public announcement (based on measures to ensure the safety of personal information), etc.

Nevertheless, in the process of concluding a development service agreement related to the card accident analysis system (FDS) with Defendant A Co., Ltd. (hereinafter “Defendant A”), Defendant A’s national card did not fulfill its duty to take security measures, such as the duty to install and manage security programs, the duty to manage and supervise the card customer’s personal information, the duty to provide encrypted card customer information, the duty to enter into a document agreement on technical and administrative protective measures when entrusting the management of personal information, and the duty not to keep and share user information in the device.

B. Examining in light of the relevant statutes and records, the lower court’s aforementioned determination.