Imposition of 84.4 Million KRW in Fines and Penalties for Violations of Safety Assurance Obligations
[Asia Economy Reporter Eunmo Koo] On the 9th, the Personal Information Protection Commission held the 10th plenary meeting at the Government Seoul Office and announced that it imposed corrective measures including fines of 53.4 million KRW and penalties of 31 million KRW on six businesses, including Microsoft and Ground One, a Kakao Group affiliate. The Commission began an investigation after receiving reports of personal information leaks due to hacking and employee errors, and with technical support from the Korea Internet & Security Agency (KISA), confirmed the following violations.
First, Microsoft failed to implement access control for the personal information processing system administrator account, resulting in the leakage of some users' personal information, and delayed reporting the leak and notifying users. Two businesses, including Ground One, leaked resident registration numbers in an unencrypted state due to negligent password management, and delayed reporting and notification of the personal information leak. Additionally, the Korea Professional Football League was found to have failed to notify users of their right to refuse consent when providing personal information to third parties, and two businesses including the Korea Mountain Bike Federation failed to fulfill safety measures obligations such as access control to the personal information processing system administrator page.
The Personal Information Protection Commission imposed penalties on all six companies for violating legal obligations related to personal information leak reporting, notification, and safety measures. Furthermore, fines were imposed on three companies including Microsoft for violating access control or failing to encrypt resident registration numbers, and improvement recommendations were issued to three companies including Ground One for negligence in managing personal information handlers.
Song Sang-hoon, Director of the Investigation and Coordination Bureau at the Personal Information Protection Commission, stated, “If a business neglects the management of collected personal information and a leak occurs, it can be exploited for crimes such as voice phishing, causing secondary damage. We will continue strict law enforcement against violations of legal obligations necessary to prevent personal information leaks, and hope this case serves as an opportunity for businesses to pay special attention to personal information management.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
