Resident Registration Number, ID, and Password... Serious Personal Information Leaks in Public and Private Sector Operators
Includes Many Famous Companies Like Yanolja and Source Music
Many Cases Not Disclosed as Only Those with Over 100,000 Victims Are Announced
Assemblyman Kang Byung-won: "Disclosure Criteria for Personal Information Leaks Are Arbitrary... Citizens' Right to Know Must Be Guaranteed"
[Asia Economy Reporter Oh Ju-yeon] Even after the personal information of about 80,000 people, including customer names, phone numbers, birthdays, and purchase histories, was leaked last year from Chanel Korea, one of the luxury brands, it has been revealed that personal information leakage incidents continue indiscriminately across public institutions and private businesses. However, the disclosure standard for notifying the aftermath of personal information leaks is limited to cases where the number of victims exceeds 100,000, raising concerns that the public's right to know is being infringed when the number of victims does not meet this threshold.
According to data received on the 8th by Kang Byung-won, a member of the National Assembly's Political Affairs Committee from the Democratic Party of Korea, from the Personal Information Protection Commission (PIPC), over the past three years (2019 to June 2022), the number of institutions reporting personal information leaks by private businesses and information and communication service providers was 509 cases, with a total of 38.28 million reported cases. (Including possible false or duplicate reports)
When counting only public institutions separately, the number of institutions reporting personal information leaks was 54 cases, with about 380,000 reported cases.
Among these were many well-known companies familiar to the public, including public institutions such as Suwon City Hall, as well as Source Music, Chanel, and Yanolja, indicating that personal information leaks are occurring regardless of whether the entity is a public institution or a private business.
Although the number of reported personal information leak cases exceeded 38 million over three years, institutions and companies that violated safety measures were only lightly penalized. The total fines for public institutions amounted to 76.2 million KRW, while the total penalties for private businesses and information and communication service providers were about 1.7 billion KRW in fines and about 300 million KRW in penalties. The leaked personal information included names, contact information, addresses, emails, occupations, gender, resident registration numbers, alma maters, IDs, and passwords. Considering that sensitive personal information of more than half the population is leaking, the level of punishment is criticized as being too lenient.
Another issue is that the disclosure standards for notifying such personal information leaks are arbitrary, meaning that if the number of victims is small, even this notification may not occur. According to Article 2 (Disclosure Requirements) of the "Personal Information Protection Commission Disposition Result Disclosure Standards," the results of dispositions can be disclosed only when the number of victims from personal information leaks or infringement incidents is 100,000 or more.
Kang's office pointed out that the PIPC currently does not have clear standards for collecting information on leak locations and recovery status, and despite the leakage of highly sensitive personal information, post-management is being neglected.
Kang said, "Even though each public institution establishes a 'Personal Information Protection Implementation Plan,' the continuous leakage of personal information indicates a serious flaw in the current system," adding, "The PIPC should go beyond simply distributing leak prevention measures and establish agreements with public and private institutions to regularly review implementation and perform effective functions."
He continued, "The PIPC's disclosure requirements for disposition results are also arbitrary," explaining, "Under the current requirements, disclosure is only possible when the number of victims is 100,000 or more." He then questioned, "Does that mean if there are 99,999 victims, disclosure is not allowed?" emphasizing, "This goes against common sense and infringes on the public's right to know."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
