Secta9ine, which operates the SPC Group's membership service "Happy Point," has been fined 1.477 billion won for neglecting customer personal information protection measures.
The Personal Information Protection Commission noted on the 13th that it has voted to impose a penalty surcharge and corrective order on Secta9ine for violating the Personal Information Protection Act.
According to the investigation, in October 2022, an unidentified hacker attempted a "credential stuffing" attack on the Happy Point application and successfully logged in. Credential stuffing is a hacking technique that randomly inputs user account information stolen from other sites to gain access.
After successfully logging in, the hacker exploited the application program interface (API) response values to steal personal information, including names, IDs, gender, date of birth, and Happy Point card numbers of 7,585 individuals, and some users suffered secondary damages due to unauthorized use of their points.
In October 2023, another hacking attack using the same method occurred, resulting in the leakage of additional personal information of 9,762 individuals. Over a year, a total of 17,347 customers' information was hacked using the same technique, but it was revealed that Secta9ine had not implemented appropriate protection measures.
In particular, there was no system in place to detect and block a large number of login attempts from the same IP within a short period, and measures such as encrypting personal information contained in API response values were also inadequate.
Additionally, in the case of the personal information breach incident that occurred in 2022, it was confirmed that the company violated regulations requiring notification and reporting of damages within 72 hours after becoming aware of the incident.
Thus, the Personal Information Protection Commission has imposed a penalty surcharge of 1.477 billion won and fines of 7.2 million won on Secta9ine and ordered the company to publicly disclose the enforcement actions on its business website.
The commission emphasized that "businesses that handle personal information must implement rigorous security measures and prepare countermeasures to prevent recurrence in the event of an incident."