Personal Information Commission Approves at Full Meeting on 4th
Patcha Company Fined 9.59 Million KRW
"Caution Needed When Handling Sensitive Information"
A fine of 51.1 million KRW and a penalty of 2.7 million KRW were imposed on the online video service operator 'Wolgeupjaengibujadeul', whose personal information of more than 100,000 people was leaked due to a hacking attack.
The Personal Information Protection Commission held a plenary meeting on the 4th and decided to impose a total fine of 60.69 million KRW and a penalty of 10.8 million KRW on Wolgeupjaengibujadeul and Parkcha Company for violating personal information protection regulations.
The specific violations and disposition results of these two operators, investigated following reports of personal information leaks, are as follows.
First, Wolgeupjaengibujadeul suffered a hacking attack on its finance-related video service site, resulting in the leakage of personal information of 107,518 individuals from its database (DB).
According to the investigation, Wolgeupjaengibujadeul operated the system so that the DB could only be accessed through an intermediate server, but there was no firewall, and the IP addresses that could access the intermediate server were not restricted.
Also, when accessing the DB externally, it was possible to log in with just an ID and password without additional authentication methods, and it was confirmed that even the DB administrator account password was not set.
The Personal Information Protection Commission imposed a fine of 51.1 million KRW and a penalty of 2.7 million KRW and ordered the operator to publicly announce the fact of the disposition on its homepage.
Parkcha Company, an operator of a used rental car sales brokerage platform, suffered a SQL injection attack by hackers, resulting in the leakage of personal information of 4,004 members. It was confirmed that sensitive information, such as members' disability grades, was also included in the leaked data.
A SQL injection attack refers to an attack technique that exploits website vulnerabilities to execute malicious SQL (a programming language used for DB queries) statements, thereby abnormally manipulating the DB.
The investigation revealed that Parkcha Company did not install or operate security equipment such as firewalls to prevent illegal access from outside while operating the used rental car sales brokerage platform.
Also, personal information was leaked because input validation procedures to prevent SQL injection attacks were not implemented.
Furthermore, it was found that personal information past its retention period was not destroyed, and account numbers owned by individuals were stored without encryption. It was also confirmed that notification of the personal information leak was delayed.
The Personal Information Protection Commission imposed a fine of 9.59 million KRW and a penalty of 8.1 million KRW on Parkcha Company and decided to publicly announce this fact on the Commission’s homepage.
The Personal Information Protection Commission urged, "Businesses handling personal information must continuously check their obligations related to safety measures to prevent leakage incidents. Unnecessary personal information should be destroyed immediately, and special care is required in processing sensitive information."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
