The Personal Information Protection Commission announced on July 1 that it has launched an investigation into Subway International BV (Subway), the operator of the sandwich franchise 'Subway'. The commission plans to determine the specific circumstances of the data leak, the scale of the damage, and whether the company fulfilled its obligations regarding safety measures. If any violations of the law are found, the commission will take action in accordance with relevant regulations.
A security vulnerability was discovered in Subway's online ordering system, which is accessible via its website and mobile application (app), allowing easy access to a large amount of personal information. By simply changing the numbers at the end of the web address (URL) on the order page, users could view other customers' contact information and order details directly on the screen. Anyone could access contact details and order history without any additional authentication procedures.
Previously, the pizza franchise 'Papa John's' was also found to have the same security vulnerability. On June 26, the Personal Information Protection Commission also launched an investigation into Korea Papa John's, the operator of Papa John's.
A representative from the commission stated, "Since both incidents were caused by manipulation of parameters in the website address, it is essential to pay close attention to access control, authorization verification, URL management, and secure session handling when operating websites." The representative added, "We are conducting a comprehensive review of personal information processing practices in the food and beverage sector, where personal data is handled during order and delivery processes, and will announce the results of this investigation in the second half of this year."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
