The Personal Information Protection Commission imposed a total of a little over 200 million won in sanctions on two golf courses after spam texts were sent out due to hacking, holding them responsible for poor management of member information. The two golf courses were found to have neglected personal information protection measures, such as managing member information on the same server and account.
The Personal Information Protection Commission said on the 23rd that it held a full meeting on the 22nd and decided to impose a 148 million won penalty surcharge and 12.3 million won in fines on Hanyang Country Club (CC), and a 53.1 million won penalty surcharge and 9.9 million won in fines on Seoul Country Club, respectively.
According to the Personal Information Protection Commission's investigation, a hacker logged into the Hanyang CC website with administrator account information obtained in advance and sent spam texts to a total of 87,923 members of Seoul CC and Hanyang CC. At the time of the incident, Seoul CC had entrusted the processing of member information to Hanyang CC, but because Hanyang CC managed the two golf courses' member information on the same system, Seoul CC's member information was exposed as well.
In particular, Hanyang CC operated the two golf courses' websites and operating systems under an outsourcing contract and was found to have neglected safety measures under the Personal Information Protection Act by using the same web server, databases, and administrator account without distinguishing between the companies. The outsourcing contract signed by Seoul CC and Hanyang CC did not include details such as the scope of the outsourced personal information processing work and safety measures, and Seoul CC's privacy policy was found to have inaccurately specified the processor.
In addition, the two golf courses were found to have kept, without destroying, resident registration numbers of members and other information collected to submit name-change statements to the tax office due to transfers and acquisitions of membership rights.
The Personal Information Protection Commission recommended that Hanyang CC, as the processor, clarify the flow of personal information in its privacy policy and separate databases access permissions by handler. It ordered corrective action for Seoul CC, as the entrusting party, to clearly specify and disclose the processor on its website and elsewhere, and to faithfully conduct management and oversight, including checking the processing status of the processor.