The Personal Information Protection Commission imposed a 463 million won penalty surcharge on Incruit for leaking job seekers' personal information.
The Personal Information Protection Commission said on the 23rd that it held a general meeting on the 22nd and decided corrective measures to prevent a recurrence, including imposing a 463 million won penalty surcharge on Incruit for violating personal information protection regulations, newly designating a chief privacy officer (CPO), and supporting damage recovery for data subjects.
Incruit, which operates an online job portal site, suffered a hacking incident in Feb. this year that leaked the personal information of about 7.3 million members in total. It reported the leak to the Personal Information Protection Commission, and the investigation found that Incruit neglected its obligation to take safety measures under the Personal Information Protection Act. Incruit had previously been subject to sanctions by the Personal Information Protection Commission in July 2023 for a personal information leak.
An unidentified hacker in Jan. this year planted malware on an Incruit employee's work PC connected to the internet network, infecting it. The hacker then stole the employee's databases (DB) access account and penetrated the internal system. As a result, over about a month, personal information of 7,275,843 total members (18 items including name, sex, mobile phone number, education, work experience, photo, disability, military service, and eligibility for employment subsidies), as well as 54,475 personal storage files such as resumes, self-introduction letters, and copies of certificates, totaling 438 gigabytes (GB) of job-related information, was leaked.
The Personal Information Protection Commission said, "There were abnormal DB access logs outside business hours, and despite abnormal large-volume traffic occurring as internal data was being leaked externally, Incruit neglected to respond to the anomalous activity and only recognized the leak after receiving a hacker's threatening email about two months later," adding, "It was also confirmed that no internet network blocking was in place for the computers of personal information handlers that could download or delete large amounts of personal information, including sensitive data."
It also noted that Incruit repeatedly violated its obligation to take safety measures, as another personal information leak occurred within three years after 2023.
The Personal Information Protection Commission said, "We considered this incident serious because, given the nature of a job-seeking site, it held not only basic personal information of job seekers but also information encapsulating a person's life and career, such as education, work experience, disability status, and military service, yet it neglected safety obligations and leaked a large amount of personal information."
In addition, the Personal Information Protection Commission added, "We are preparing an improvement plan for the penalty surcharge system with punitive effects for corporations that are remarkably negligent in personal information protection, such as those with repeated leak incidents," and "We plan to further strengthen the effectiveness of sanctions through this."