[Exclusive] FSS Launches Ad Hoc Inspection of Bipple Pay Cyber Incident... Focusing on Legal Violations

The Financial Supervisory Service (FSS) has decided to launch an ad hoc inspection of Bizplay, the operator of the BipplePay app, which supports charging and payment services for local gift certificates. This decision follows an on-site inspection and a subsequent investigation by a security firm after it was discovered that an external party had accessed customer personal information. The FSS found indications that Bizplay may have violated the Electronic Financial Transactions Act by failing to ensure required security measures, prompting further scrutiny. In addition, a police investigation is underway to determine whether any internal employees were involved, suggesting that the repercussions could be significant.

According to the financial industry and Bizplay on November 18, the FSS sent a notification of the upcoming ad hoc inspection to Bizplay, the operator of BipplePay, earlier this week. A senior official at Bizplay confirmed, "It is true that we have received notification from the FSS regarding the ad hoc inspection."

According to The Asia Business Daily's investigation, the FSS, together with the Korea Internet & Security Agency (KISA), conducted a three-day on-site inspection immediately after receiving a report of a hacking incident involving BipplePay-branded prepaid gift certificates on September 26. The inspection concluded around October 2, just before the Chuseok holiday, after which Bizplay was given time to address the situation and a security firm began a detailed investigation. Separately from the FSS and KISA investigations, BipplePay also requested a police investigation right after the incident, meaning that since late September, financial, information, and investigative authorities have been examining the case simultaneously.

The FSS reportedly found evidence during the security firm's investigation that customer information had been leaked externally from BipplePay. Initially, as of late September, the known damage consisted of leaked PIN numbers for retail brand prepaid gift certificates, about 4,000 affected customers, and losses totaling approximately 120 million won. BipplePay has been processing compensation for victims promptly. However, as the possibility of credit and personal information leaks emerged, the nature of the incident has changed. In particular, the possibility that internal employees may have been aware of or involved in the leak cannot be ruled out, making the situation even more serious. This could constitute violations of multiple laws, including the Credit Information Act, the Personal Information Protection Act, and the Electronic Financial Transactions Act. The police are reportedly investigating employee involvement, while the FSS is focusing on whether Bizplay has complied with system management and security requirements.

The FSS is expected to begin its ad hoc inspection of Bizplay soon. Details such as the inspection schedule, manpower, and duration remain undisclosed. The inspection is likely to focus on whether BipplePay and Bizplay employees accessed credit transaction information, compliance with Article 21 of the Electronic Financial Transactions Act concerning security obligations, and technical vulnerabilities such as insufficient server or security system updates. Previously, during its investigation of the Lotte Card incident, the FSS found that Oracle WebLogic security patches had not been applied. The agency now plans to check whether similar security management issues exist at BipplePay.

A senior official at Bizplay stated, "We have received notification from the FSS that they will inspect our accident safety management system," adding, "We understand that the ad hoc inspection was notified not to BipplePay, which was responsible for the incident, but to the operator Bizplay, in order to review any violations across the overall information management system."

The maximum penalty the financial authorities can impose for violating the Credit Information Act is a fine of 5 billion won. In addition, the BipplePay incident has also been reported to the Personal Information Protection Commission, so the total fine could be even higher. Violations of Article 21 of the Electronic Financial Transactions Act are subject to administrative fines, as are breaches of the Personal Information Protection Act. An FSS official commented, "As the inspection has not yet begun, it is difficult to predict whether or to what extent any sanctions will be imposed," declining to elaborate further. A senior official at Bizplay said, "We have received advance notice of the FSS inspection, but have not yet been contacted by the police," and added, "We will fully cooperate with the ad hoc inspection and use this opportunity to further improve our internal security systems and operational processes to make them more transparent and advanced."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.