The personal data of approximately 100,000 customers of Lee & Lee Country Club, a golf course in Gapyeong county roughly 55km north-east of Seoul, has been leaked following a website compromise. The Korean National Police Agency is investigating the incident, with sources indicating that suspected North Korean state-sponsored hacking groups are the prime suspects. The breach was uncovered as a byproduct of an ongoing probe into major DPRK-linked threat actors.

What Happened

Lee & Lee Country Club's website was compromised, exposing the records of around 100,000 individuals. According to sources cited by The Straits Times on April 26, 2026, the Korean National Police Agency identified the breach while investigating broader North Korean hacking operations. Investigators believe the golf club's server was infected with malware distributed by a state-aligned threat group, though the specific cluster has not been publicly named. The case has been escalated to formal police investigation, signaling its perceived strategic importance.

What Was Taken

The leaked dataset is unusually rich in directly exploitable identifiers. Compromised fields include:

The combination of credentials with full PII creates a high-value targeting package suitable for credential stuffing, social engineering, and follow-on intrusion against members' personal and corporate accounts. Golf club memberships in South Korea frequently skew toward affluent professionals, executives, and political figures, sharply increasing the strategic value of the dataset beyond its raw record count.

Why It Matters

North Korean cyber units have historically pursued financially motivated theft and intelligence collection in parallel. A membership roster from an elite Seoul-area country club is a near-ideal selector list for spear-phishing, business email compromise, and longer-horizon operations against high-net-worth individuals and the firms they lead. South Korea's defense white paper estimated 8,400 hackers operating under DPRK authority as of 2024, and operations against South Korean civilian targets continue to expand beyond traditional government and defense verticals. Defenders should treat leisure, hospitality, and lifestyle platforms serving wealthy demographics as legitimate state-targeted infrastructure, not low-priority soft targets.

The Attack Technique

Public reporting attributes the intrusion to malware deployed against the country club's web server, consistent with patterns observed across DPRK-aligned clusters such as Lazarus, Kimsuky, and Andariel. While the exact initial access vector has not been disclosed, web server compromises in this region have commonly leveraged unpatched CMS vulnerabilities, exposed administrative panels, and stolen vendor credentials. The reuse of plaintext or weakly hashed passwords inside the leaked dataset suggests storage practices that would amplify downstream credential-stuffing risk against banking, corporate SSO, and Korean portal services.

What Organizations Should Do

  1. Audit web-facing infrastructure. Inventory CMS, plugins, and admin panels; patch aggressively and remove unused components.
  2. Enforce modern credential hygiene. Migrate to salted, slow-hash password storage (Argon2/bcrypt) and require MFA on all customer and admin accounts.
  3. Hunt for DPRK TTPs. Sweep for indicators tied to Lazarus, Kimsuky, and Andariel, including known web shells, loader families, and outbound C2 to known infrastructure clusters.
  4. Segment customer-facing servers. Isolate web tier from membership databases and back-office systems to contain lateral movement.
  5. Notify and protect affected members. Force credential resets, alert customers to targeted phishing risk, and monitor for use of leaked PII in social engineering.
  6. Engage national CERT and law enforcement early. In South Korea, coordinate with KISA and KNPA cybercrime units to receive threat actor context and IOC sharing.

Sources: Data of 100,000 leaked from golf club; North Korean hackers suspected | The Straits Times