In South Korea, where a national identifier of resident registration number is generally used on the Internet, individuals are exposed to unexpected data breach. In such a case, what kind of remedies are the affected data subjects entitled to? Or what are the Internet service providers obliged to do? In February 2008, an unidentified hacker broke into the website of Korea’s largest e-marketplace, Auction. The personal data of the whole Auction users were apparently leaked out of the country. An emergency meeting was convened and decided to notify the whole users of the incident. Consequently, in January 2010, the Seoul Central District Court ruled in favor of Auction contrary to the expectations. This article explores a couple of typical cases at home and abroad to examine what kind of responsibility the Internet-based businesses should bear. It discusses which compliance the Internet-based businesses are obliged to observe in order to stave off such kind of responsibility. Finally, suggestions will be made what legislation is necessary for the enhanced data protection in Korea. In line with the latest developments overseas, it is advisable for the data protection authority in Korea to adopt the data breach notification duty for the purpose of warning to ISPs and sufficient compensation for the affected users. At least, ISPs dealing with a large volume of personal information are required to establish the compliance standard of data breach notification. It’s because appropriate handling of personal data is pivotal to the individuals and companies engaged in e-commerce for the trustful relationship.