Boram Sangjo affiliates where a data breach exposed the personal information of roughly 28,000 customers were hit with a penalty surcharge and fines.
The Personal Information Protection Commission on the 14th imposed about 550 million won in a penalty surcharge and fines on seven Boram Sangjo affiliates, including Boram Sangjo Development, Boram Sangjo Leaders, Boram Sangjo Life, Boram Sangjo People, Boram Sangjo Anycall, Boram Sangjo Siloam, and Boram Sangjo Plus.
The Personal Information Protection Commission opened an investigation after receiving a personal information breach report from Boram Sangjo Development on May 28, 2024. It later confirmed that Boram Sangjo Development had been entrusted by group affiliates with customer relationship management (CRM) tasks, including online customer counseling, and was operating databases (DB) that centrally managed personal information collected through the website while neglecting security measures.
Hackers were found to have extracted customer data by infiltrating the DB through an "SQL injection (SQL Injection)" attack that exploited website security vulnerabilities. The leaked data included names, mobile phone numbers, IDs, passwords, and email addresses, totaling 27,882 people. The Personal Information Protection Commission determined that the information of both registered website members and online counseling members was included.
SQL injection is a method that inserts malicious SQL statements by exploiting weak input handling in web applications, and uses them to manipulate the DB or steal internal information.
The Personal Information Protection Commission judged that six affiliates that outsourced personal information processing did not fully meet their duty to educate and supervise the trustee, Boram Sangjo Development, to manage personal information safely.
Boram Sangjo Development, even after recognizing the data breach, notified data subjects after the legal notification deadline of 72 hours, and was found not to have deleted personal information past its retention period. Accordingly, the Personal Information Protection Commission imposed a 531 million won penalty surcharge and 11.4 million won in fines on Boram Sangjo Development.
The affiliates were also held responsible for managing and supervising the trustee, with a total penalty surcharge of 11.5 million won imposed, and were ordered to disclose the disposition on their websites. An order for corrective action was also issued, calling for a review and overhaul of group-level personal information processing and decision-making systems, and for strengthening transparency in entrustment relationships.
The Personal Information Protection Commission is currently conducting an advance fact-finding inspection starting on Jan. 1 to check the state of personal information management across the funeral service industry and whether improvements are being made.