Leak of Korean and English Names and Contact Information
On the 12th, the Personal Information Protection Commission held a plenary session and decided to impose a fine of 747 million KRW and a penalty of 10.2 million KRW on Modetour Network, the operator of the travel brokerage service 'Modetour,' the commission announced on the 13th. It was confirmed that Modetour neglected safety measures, personal information destruction, and breach notification obligations under the Personal Information Protection Act.
According to the investigation, Modetour leaked personal information of about 3.06 million members and non-members last June due to a hacker's 'web shell attack' (an attack that implants malicious code into the system through the web page file upload function and obtains administrator privileges). This attack resulted in the leakage of Korean and English names, dates of birth, gender, and mobile phone numbers.
The Personal Information Protection Commission judged that it was difficult to prevent the web shell attack because Modetour was negligent in inspecting and addressing vulnerabilities in uploaded files. It was also revealed that access control measures to detect and respond to information leakage attempts were insufficient. Furthermore, Modetour did not destroy personal information even after the retention period had passed, which contributed to the large-scale leakage. It was found that about 3.16 million non-member personal information records (including duplicates) collected since March 2013 were not destroyed.
In addition, Modetour recognized the personal information leakage one month after the hacking attack in July last year but notified the leakage only in September last year without justifiable reasons. Under the Protection Act, there is an obligation to notify the leakage within 72 hours after recognizing the personal information leakage.
Accordingly, the Personal Information Protection Commission imposed a total fine and penalty of 757.2 million KRW and ordered the operator to publicly announce the fact of the disposition on its website. It also demanded improvements to the internal personal information protection management system to prevent recurrence of delayed leakage notifications and other related acts.
A representative of the Personal Information Protection Commission said, "Although web shell attacks are well-known, because they allow access to the database (DB) and cause significant damage, special caution and prevention are necessary," and added, "Large-scale personal information processing businesses should promptly destroy unnecessary personal information to minimize the scale of damage in case of a possible personal information leakage incident."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
