Due to inadequate safety measures, 750,000 pieces of personal information were leaked from Donghwakwon, which is fined more than 500 million won. Additionally, 125,000 pieces of personal information were leaked from SK Stoa, resulting in a penalty surcharge of 1.4 billion won.
The Personal Information Protection Commission noted on the 23rd that it had approved the penalty surcharges and corrective orders for Donghwakwon and SK Stoa for violations of the Personal Information Protection Act during the plenary meeting the day before.
According to the Personal Information Protection Commission, in November 2023, a hacker managed to log in by exploiting a security vulnerability after securing a list of member IDs from Donghwakwon, an integrated lottery portal. This resulted in the leakage of approximately 750,000 pieces of personal information.
The Personal Information Protection Commission explained that Donghwakwon neglected to examine and improve security vulnerabilities during the design of the 'password change function' and lacked safety measures to detect and block the hacker's attacks.
Accordingly, the Personal Information Protection Commission imposed a penalty surcharge of 500.3 million won and fines of 4.8 million won on Donghwakwon, and ordered the company to publicly announce this fact on its website.
In the case of SK Stoa, in November 2023, the company's website was targeted by a hacker's 'credential stuffing' attack, resulting in the leakage of more than 125,000 pieces of personal information. Credential stuffing is a hacking attack that attempts to log in by randomly entering user account information collected from other websites.
At that time, the hacker attempted to log in more than 44 million times at a maximum rate of 372 times per second from 14 domestic and foreign IP addresses targeting the SK Stoa website. As a result, they successfully logged into more than 125,000 member accounts and accessed web pages containing personal information.
The Personal Information Protection Commission pointed out that SK Stoa had neglected its duty to implement safety measures, such as establishing intrusion detection or blocking measures to prevent abnormal access attempts.
Additionally, it was further confirmed that some web pages of SK Stoa transmitted users' passwords in plaintext without encryption.
As a result, the Personal Information Protection Commission imposed a penalty surcharge of 1.432 billion won and fines of 3 million won on SK Stoa, ordering the company to publicly announce this fact on its homepage.
Lee Jung-eun, the second department head of the Personal Information Protection Commission, said during a briefing, 'The countries where large-scale logins were attempted were China and the United States, and it was not possible to identify the hacker's identity.'