Personal Information Protection Commission Applies Strengthened Laws
Negligence in Managing File Servers within Work Networks
A fine of 7.5 billion KRW has been imposed on Golfzon, where personal information of over 2 million customers was leaked. This is the first substantial case applying the strengthened Personal Information Protection Act regulations enacted last year.
The Personal Information Protection Commission imposed a fine of 7.504 billion KRW and a penalty of 5.4 million KRW on Golfzon, along with corrective and public announcement orders.
In November last year, Golfzon suffered a ransomware attack by hackers. During this process, the hackers stole virtual private network account information of Golfzon employees. They then remotely accessed the file server within the work network, leaked stored files externally, and published them on the dark web.
As a result, personal information of more than 2.21 million customers and employees was leaked, including names, phone numbers, emails, dates of birth, and IDs. Additionally, resident registration numbers of about 5,800 individuals and bank account numbers of about 1,600 individuals were also leaked.
The Personal Information Protection Commission investigated whether Golfzon complied with the Personal Information Protection Act in relation to this leakage incident.
The investigation revealed that Golfzon was unaware that a large amount of personal information, including resident registration numbers, was stored and shared on the file server used by all employees, which was a critical issue.
During the COVID-19 period, Golfzon hastily introduced a new virtual private network, and in this process, allowed external access to the internal work network using only IDs and passwords. Despite the possibility of unnecessary remote access to the server from outside, Golfzon neglected safety measures to prevent personal information leakage.
Furthermore, Golfzon stored and retained resident registration numbers and other personal information on the file server without encryption. Violations were also found where personal information of at least 380,000 individuals, which had become unnecessary due to expiration of retention periods, was not destroyed.
The Personal Information Protection Commission stated that this is the first substantial case applying the revised Personal Information Protection Act regulations aimed at strengthening corporate accountability. These regulations raised the upper limit of fines from 3% of the revenue related to the violation to up to 3% of the total revenue.
Kang Daehyun, Head of Investigation Division 1 at the Personal Information Protection Commission, explained, "The fine was calculated based on the average revenue from 2020 to 2022, the three years immediately before the incident," adding, "However, revenue from business sectors that do not use customer personal information at all was excluded." He further noted, "This is the first substantial case where the law’s intent was directly applied in a large-scale information leakage incident."
Kang emphasized regarding this disposition, "This case highlights that thorough personal information protection measures must be applied even within internal work areas handling customer information," and expressed hope that "the overall level of personal information protection in business processes will improve."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![Clutching a Stolen Dior Bag, Saying "I Hate Being Poor but Real"... The Grotesque Con of a "Human Knockoff" [Slate]](https://cwcontent.asiae.co.kr/asiaresize/183/2026021902243444107_1771435474.jpg)
