BusinessOn Communication, which neglected safety measures for personal data protection, has been fined a penalty surcharge of 130 million won due to the leakage of approximately 180,000 personal data records. NHN WIT, which suffered a data breach of over 530,000 personal data records due to hacking, has been penalized with a penalty surcharge of 60 million won.
The Personal Information Protection Commission (PIPC) stated on the 27th that it voted for penalty surcharges and corrective orders for the two companies that violated the Personal Information Protection Act during a full meeting the previous day.
According to the PIPC, BusinessOn, which operates the online electronic tax invoice issuance service 'SmartBill', suffered an SQL injection attack from unknown hackers, resulting in the leakage of member information for 179,386 accounts.
SQL injection attacks involve exploiting security flaws in web pages to inject malicious hacking code known as 'SQL statements' and then take control of the databases, siphoning off personal information.
BusinessOn did not implement any defensive measures to prevent this attack. It was also found to have violated safety obligations by not restricting access to its systems from external illegal access using IP addresses, among other things. Additionally, it was confirmed that the company reported the data breach late.
The PIPC imposed a penalty surcharge of 137 million won and fines of 2.7 million won on BusinessOn. The commission also issued a corrective order requiring the company to develop and implement measures to comply with the law and prevent recurrence, and ordered it to publicly disclose the fact of the sanctions on its website.
NHN WIT also experienced a hacking attack on the 'Seller System' of its fashion open market 'BagPop', which it operates.
As a result, personal information of 534,903 sellers and customers stored in the system was leaked. It has been confirmed that the leaked information included members' resident registration numbers.
During a system overhaul in July 2022, NHN WIT did not arrange any input validation defense measures against SQL injection attacks and operated with its web firewall disabled.
It was also found that during the process of transferring the old databases of the existing seller system to the current database in February 2013, the old database, where the purpose of processing personal information had been achieved, was not destroyed. This included resident registration numbers that should have been destroyed under the Personal Information Protection Act.
Consequently, the PIPC imposed a penalty surcharge of 61.1 million won and fines of 9.6 million won on NHN WIT, ordering it to publicly disclose the fact of the sanctions on its website.