The Personal Information Protection Commission announced on the 24th that it imposed a penalty surcharge of 343 million won on HAESUNG DS, a semiconductor parts company, after it left vulnerabilities in its network security equipment unattended, resulting in a hacker attack that leaked personal information of over 70,000 shareholders.
The Personal Information Protection Commission voted to impose this sanction at a general meeting held the previous day and ordered HAESUNG DS to announce the sanction on its website. According to the commission, the hacker exploited a vulnerability in the security device (SSL-VPN) operated by HAESUNG DS in October 2023, logged into the virtual private network (VPN), and accessed its internal network. After that, the hacker leaked personal information of 73,975 individuals, including shareholders, employees, and partner company staff, stored on the internal file server, and infected files on the internal file server with ransomware.
The investigation revealed that the SSL-VPN equipment used by HAESUNG DS had known vulnerabilities that required security updates, and this was communicated to both the equipment manufacturer and the Korea Internet & Security Agency (KISA), but HAESUNG DS took no significant action until the hacking incident. Additionally, it was confirmed that some of HAESUNG DS's systems showed no history of antivirus activity during the period the hacker was leaking information, indicating neglect of malware prevention and remedy functions.
In response, the Personal Information Protection Commission voted to impose a penalty surcharge for violations of safety measures mandated by the Personal Information Protection Act. The commission noted, "There is an increasing number of hacking incidents and personal information leaks exploiting vulnerabilities in security equipment like SSL-VPN, so businesses utilizing security equipment like VPN should pay attention to security equipment updates and security setting checks."
The Personal Information Protection Commission also imposed a penalty surcharge of 98 million won and fines of 3.6 million won on Jeonnam Technopark for negligence in fulfilling safety obligations related to its personal information processing system, which was hacked, leading to the leak of personal information. Jeonnam Technopark is a non-profit corporation established to support small and medium-sized enterprises through contributions from the government, local governments, and the private sector. The investigation revealed that Jeonnam Technopark used easily guessable IDs and passwords for account holders in the processing system, and stored user passwords using insecure encryption methods (MD5). It was also found that passwords transmitted during login were not encrypted.
Additionally, it was determined that the technopark had failed to restrict access to the processing system based on IP addresses or to detect and block illegal access and personal information leak attempts, and had not kept or managed access logs for the processing system, indicating overall negligence in handling personal information. The technopark was found to have recognized on November 23, 2024, that a hacker accessed the system and deleted and damaged personal information but reported the leak without justifiable reason only on the 30th of the same month, 72 hours later, and posted the fact of the leak on its website the next day.