Leak Only Discovered After Receiving Hacker's Threatening Email
Corrective Order Issued: Appointment of CPO and Implementation of Recurrence Prevention Measures
Incruit has been fined 463 million won for neglecting its duty to implement safety measures, resulting in the leakage of personal information belonging to 7.3 million job seekers.
On October 22, the Personal Information Protection Commission held a general meeting and imposed a fine of 463 million won on Incruit for violating personal information protection regulations. The commission also issued a corrective order requiring the company to newly appoint a professional Chief Privacy Officer (CPO).
Incruit, which operates an online job portal site, suffered a hacking incident in February that led to the leakage of personal information of approximately 7.3 million members. In July 2023, Incruit was also subject to sanctions, including a 70.6 million won fine, due to a previous personal information leak.
According to the details of the incident, in January, a hacker infected a work PC used by an Incruit employee connected to the internet with malware. The hacker then stole the database access credentials of a personal information handler and infiltrated the internal system.
Through this breach, the personal information of 7,275,843 members and 54,475 personal storage files-totaling 438GB-were leaked over the course of about a month.
The leaked information includes 18 items such as members' names, gender, mobile phone numbers, educational background, work experience, photos, disability status, medical history, and eligibility for employment support funds. The leaked files consist of resumes, self-introduction letters, and copies of certificates.
According to the investigation, Incruit failed to respond adequately despite abnormal database access records and unusually high-volume traffic occurring outside of work hours. The company only became aware of the leak after receiving a threatening email from the hacker about two months later. It was also found that Incruit did not block internet access on the personal information handler’s computer.
The Personal Information Protection Commission strictly applied the law in response to repeated violations, imposing a fine of 463 million won and ordering the company to disclose the sanction on its website.
The commission also ordered Incruit to newly appoint a professional CPO and clarify the responsibilities and roles of the CPO. The corrective order further requires Incruit to establish a specific recurrence prevention plan-including support for damage recovery for data subjects-and report it to the commission within 60 days.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
