The Personal Information Protection Commission said on the 11th that it will impose a 81.01 million won penalty surcharge and 7.2 million won fines on Moncler Korea after about 230,000 people's personal information was leaked due to lax safety measures for personal data.
According to the Personal Information Protection Commission, Moncler became aware on Jan. 17, 2022, that about 230,000 people's personal information had been leaked due to a hack of its personal information processing system that occurred in Dec. 2021, and reported the matter to the commission on Jan. 22 that year. The leaked data at that time included name, date of birth, email address, card number, delivery method, shopping characteristics, body size, and other purchase information.
The commission's investigation found that the hacker had previously obtained the account of an employee with administrator privileges, used those privileges to distribute malicious software to the domain controller server (the security policy management server for authentication and authorization), leaked personal information, and then encrypted the existing data.
However, while operating its website, Moncler failed to apply an additional secure authentication method, even though handlers connecting to the personal information processing system via the information and communications network must use an additional secure authentication method beyond an ID and password. In addition, even after recognizing the personal information leak, Moncler delayed notifying users beyond 24 hours without a justifiable reason. Accordingly, the Personal Information Protection Commission decided to impose a penalty surcharge and fines on Moncler and to disclose the disposition on the commission's website.
The Personal Information Protection Commission urged, "When handlers connect to administrator pages or other personal information processing systems via the information and communications network, personal information controllers must ensure access is made using a secure authentication method such as a one-time password (OTP) in addition to an ID and password."