This paper studies the tort liability of the service provider in the data breach cases, focusing on the recent decision of the Korean Supreme Court, the Supreme Court Decision 2015Da24904, 24928, 24935, dated January 25, 2018. The decision has drawn much attention, as the data breach at issue involved personal data of more than 30 million people. The decision gives an answer to the question if the court may recognize the service provider’s negligence in a data breach case, even though the service provider had been complying with the relevant statutes. The Supreme Court states that the regulations set the minimum standards for the protective measures the service provider shall implement. As such, the compliance with the regulations does not necessarily exempts the service provider from civil liability. If the service provider has not taken the reasonable measure which it is expected to and apparently ought to take, it shall be liable for the damages. The decision also touches upon the issue of causation in a data breach case. Any internet service is bound to have vulnerabilities, somewhere in the multilayer, interrelated network system. It is of course very difficult to spot the vulnerability through which the hacker trespassed the system, and understand the course of hacking that actually led to the data leakage. The decision does not explore the causation issue as in depth as it does the negligence issue, but it still provides a rare opportunity to contemplate on whether and how much strict the burden of proof shall be imposed on the plaintiff.