Three business operators have faced sanctions for violating the Personal Information Protection Act. They have been penalized for failing to adhere to safety measures related to personal information protection and for delaying the notification and reporting of personal information breaches. The penalties imposed include a total of KRW 1.2333 billion in fines and KRW 18.8 million in penalties for violations of safety measures.
The Personal Information Committee conducted an investigation based on a report of personal information leakage, leading to the identification of specific violations committed by the three businesses subject to disciplinary action. Here are the details:
1. Interpark Co., Ltd., which operates an online brokerage platform (Interpark) in the travel and shopping sectors, experienced a hacker attack on its app service through the credential stuffing. Due to the absence of a blocking policy to address abnormal login attempts, the personal information of 784,920 users was compromised. As a result, the Personal Information Commission imposed various sanctions, including a fine of KRW 1,026,450,000, a penalty of KRW 3,600,000, and a correction order.
2. Paxnet Co., Ltd., the operator of a website providing securities information (Paxnet), also suffered a personal information breach, with 284,054 users’ data being leaked due to a hacker’s credential stuffing attack. Additionally, there were delays in reporting and notifying the leak. Consequently, a fine of KRW 11 million was imposed.
3. Ribbons Co., Ltd., the operator of a luxury online shopping mall (Ribbons), failed to restrict access to the development server in Amazon Cloud Service (AWS) based on IP address restrictions, among other security measures. This allowed hackers to obtain AWS account information, leading to the exposure of personal information for 1,183,325 users. In response, sanctions such as a fine of KRW 172.01 million, a penalty of KRW 4.2 million, and a corrective order were imposed. Ribbons Co., Ltd. utilizes AWS (Amazon Web Services) for configuring and operating their personal information processing system.
Nam-Seok, Director of the Investigation and Coordination Bureau at the Personal Information Commissioner, stated that there has been an increase in personal information breaches caused by unauthorized access, such as hacking incidents, in recent times.