This study deals with four judicial cases that customer ‘s personal information divulged by hacking. First, Auction Case was hacked because it did not take a very basic technical measure, but the Supreme Court ruled that Auction did not have any liability for damages because there was no obligation to require that protection measures in the law at that time. Second, Cyworld Case, that was sentenced at Appellate Court immediately after the Auction Supreme Court ruling, even if it is a civil case, it was judged that SK Communications action is not liable for damages because it does not comply with the punishment requirements set forth in the law. Third, KT MyOlleh Case, an abstract and inclusive obligation clause was adopted as a rule of administrative penalty. Because the clause is not appropriate as the basis for disposing of sanctions, Korea Communications Commission (KCC) lost in the Seoul Administrative Court. After that, most of the related civil cases quoted the reason for the administrative case as “there is no civil illegal act unless there is an administrative legal obligation violation”. Fourth, KT N-STEP Case was similar to the case of the hacker’s attack technique and its weak point caused by the hacking of the KT MyOlleh Case. In spite of the similarity, KCC did not charge a penalty, and the civil court recognized the liability for damages at KT N-STEP Case. These four judicial cases are in conflict with the basic tort liability law, and among the rulings, it is difficult to find the regularity between the difficulty of hacking and the liability of the corporation. The reason for this confusion is that the case law on hacking does not accumulate enough, but basically, the court does not recognize the difference between the requirements of administrative legal sanctions and the requirements of the civil liability. The basis of the sanctions under the administrative ;aw must be specified only by specific and individual obligations in accordance with the principle of ‘Nulla poena sine lege’. In contrast, civil obligations that are the basis for judging negligence in tort include not only the obligations set forth by law, but also the abstract and inclusive obligations required of the average person in the industry concerned. After Auction Case ruling, the court tends to identify requirements of both parties. This is not correspond to the basic tort liability law and the nature of information protection techniques.