Personal Information Protection Commission Holds 15th General Meeting
"Negligence in Inspecting SQL Injection Vulnerabilities"
The Personal Information Protection Commission announced on July 10 that it will impose a total of 1,414 million won in administrative fines and 2.7 million won in penalty surcharges on BYN Blackyak and Korea Topic Education Center for violating mandatory safety measures.
BYN Blackyak, which manufactures and sells clothing and related products, was found to have neglected inspections and measures against SQL (Structured Query Language) injection vulnerabilities since launching its website in October 2021. The company allowed external access to the administrator page?such as for remote work?without implementing secure authentication methods beyond just an ID and password.
As a result, BYN Blackyak was fined 1,391 million won. The details of the sanction will be disclosed on the company’s official website.
Previously, in March, BYN Blackyak suffered a breach in which a hacker exploited an SQL injection vulnerability on the website, compromising administrator account information and the personal data (including names, gender, and partial addresses) of 342,253 users. An SQL injection attack is a technique that exploits website vulnerabilities to execute and manipulate malicious database (DB) commands.
Korea Topic Education Center also suffered an SQL injection attack in March of last year, resulting in a fine of 23 million won and a penalty surcharge of 2.7 million won. In that incident, the hacker stole and published on Telegram the personal information?including user IDs, encrypted passwords, names, gender, and mobile phone numbers?of 84,085 users (including duplicates) from the database.
The Personal Information Protection Commission’s investigation found that Korea Topic Education Center failed to adequately inspect and address SQL injection vulnerabilities, and did not retain or manage access logs for those handling personal information systems. The company also failed to notify users of the data breach within 72 hours of becoming aware of the incident, without justifiable reason.
A representative from the Personal Information Protection Commission stated, "As cases of allowing external access due to remote work are increasing, implementing additional authentication methods to verify authorized users has become more important than ever," and added, "Personal information controllers must strengthen security measures such as conducting web vulnerability inspections and exercise particular caution."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
