Violation of safety measures, destruction, leakage reporting and notification
Fines totaling 51.6 million KRW imposed on 9 businesses
[Asia Economy Reporter Seungjin Lee] On the 30th, the Personal Information Protection Commission announced at the 19th plenary meeting that it decided to impose a total fine of 51.6 million KRW on nine businesses that violated personal information protection regulations.
The Commission investigated nine businesses (10 cases) reported through leakage reports and media coverage and took corrective actions for the following violations.
An unidentified person carried out an SQL Injection attack to steal user account information (48 people) from the text messaging service operated by PR Company and then sent a large volume of spam messages. SQL Injection is an attack technique where hackers extract desired data from a database.
The Commission judged that PR Company violated safety obligations such as installing and operating intrusion prevention and detection systems, encrypting passwords, and retaining access logs, as well as obligations to notify and report leaks.
SSG.com sent parcels by attaching new delivery labels without removing incorrectly attached ones, allowing customers who received them to view another person's personal information (1 person). The Commission penalized this act as a violation of the obligation to destroy incorrectly attached delivery labels, which exposed other recipients' personal information.
Neogames and Richmont Korea each leaked personal information of 36 and 1 individuals respectively due to security negligence by administrators, such as source code configuration errors. In particular, Richmont Korea reported the leak and notified users after more than 24 hours had passed since learning of the leak.
KT accidentally sent URLs logged in with test accounts to customers, resulting in the leakage of personal information (1 person). The Commission judged that KT violated safety obligations.
Nanda leaked personal information of 30 people due to negligence in safety obligations, such as setting the read permission of pages containing personal information to "non-members or higher" instead of "administrator," and notified and reported the leak after 24 hours.
Day One Company mistakenly edited an Excel file containing delivery information, which was then delivered to others, leaking personal information of 82 people. The Commission confirmed that the notification of the leak was delayed.
Two cases were reported against Coupang. Coupang leaked personal information of 14 people due to negligence in safety obligations during the app update process. Additionally, Coupang Eats Store sent text messages without destroying personal information of restaurant owners who had not completed membership registration or had requested service suspension.
Great Mobile did not clearly inform the purposes of personal information collection and did not distinguish each consent item when obtaining consent for personal information processing.
Jinseong Cheol, Head of Investigation Division 2 at the Commission, said, "Recently, there have been frequent cases where hackers attack websites providing text messaging services to send large volumes of spam messages," adding, "Businesses operating text messaging services that could be targeted by hackers need to take proactive protective measures such as regular website vulnerability checks and introducing additional authentication methods during user login to prevent incidents."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
