Personal Information Protection Commission Sanctions Two Companies
ClassU Leaks 1.6 Million Users' Personal Information
KT Alpha Also Experiences Unauthorized Logins to About 98,000 Accounts
"Access Control Measures Needed for Personal Information... Masking Policies Also Helpful"
ClassU and KT Alpha, whose customer personal information was leaked due to hacking, were fined a total of approximately 72 million KRW in penalties and fines.
The Personal Information Protection Commission announced on the 10th that it imposed a total of 58.51 million KRW in penalties and 14.1 million KRW in fines on ClassU and KT Alpha for violating personal information protection regulations and decided to issue a public disclosure order.
First, ClassU was fined 53.6 million KRW in penalties and 7.2 million KRW in fines. Correction orders and public disclosure orders were also issued. ClassU, which operates an online lecture service, leaked personal information of approximately 1.6 million users from August 2023 to July 2024 through a database (DB) administrator account obtained by hackers through unknown methods.
According to the investigation by the Personal Information Protection Commission, ClassU did not restrict access rights to the personal information processing system by IP address or other means. Additionally, multiple personal information handlers shared a single administrator account. It was also confirmed that users' resident registration numbers and account numbers were stored without encryption and that copies of users' identification cards, which had fulfilled their processing purpose, were kept without being destroyed. It was also revealed that users were notified more than 72 hours after recognizing the personal information leak.
The Personal Information Protection Commission issued a correction order to ClassU to establish and implement a specific plan to strengthen personal information protection, including inspecting and addressing security vulnerabilities.
KT Alpha was fined 4.91 million KRW in penalties and 6.9 million KRW in fines, and it was decided to publicly disclose the disposition on the Personal Information Protection Commission's website.
According to the Personal Information Protection Commission, hackers attempted a "credential stuffing" attack on the login page of 'Giftishow,' a mobile gift certificate sales site operated by KT Alpha, from late January to early February 2023, resulting in the leakage of member personal information. Credential stuffing is an attack method that attempts to log in by indiscriminately inputting a large number of pre-obtained IDs and passwords.
Hackers used 4,305 IP addresses to attempt logging in more than 5.4 million times on the Giftishow webpage. Through this, they succeeded in logging into about 98,000 member accounts. Among these, 51 member accounts accessed webpages containing personal information, viewing member personal information and simultaneously causing secondary damage by unauthorized use of points.
The Personal Information Protection Commission explained that KT Alpha neglected its obligation to manage intrusion detection and blocking policies and safety measures to detect and block abnormal access attempts. However, although hackers succeeded in logging into about 98,000 member accounts, KT Alpha had taken prior measures such as masking personal information on webpages, so actual personal information leakage was limited to 51 members.
During the investigation, it was also confirmed that KT Alpha notified the leak more than 24 hours after recognizing the personal information leak. According to the Personal Information Protection Act before the revision applied at that time, information and communication service providers must notify leaks within 24 hours after recognizing the personal information leak.
A representative of the Personal Information Protection Commission stated, "It is essential for personal information processors to implement access control measures that allow only authorized persons to access the personal information processing system to prevent leakage of personal information during processing," and added, "While safety measures such as applying intrusion detection and blocking policies for abnormal behavior are important to prevent credential stuffing attacks, applying masking policies to webpages containing personal information can also greatly help reduce damage from personal information leaks."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
