Law firm Logos, which leaked a large number of litigation materials containing sensitive information, was hit with a 523 million won penalty surcharge.
The Personal Information Protection Commission said on the 21st that it held a full meeting on the 20th and decided to impose a 523 million won penalty surcharge and 6 million won in fines on Logos for violating the Personal Information Protection Act, and to issue corrective and disclosure orders.
The case was investigated after a hacker stole litigation materials that Logos had stored in its internal system and posted them on the dark web. Although 185,047 litigation-related documents were leaked, totaling 1.59 terabytes (TB) of data, Logos was found to have reported the breach belatedly, a year after it occurred.
From July to August last year, the hacker obtained the ID and password for Logos' administrator account, accessed the internal intranet system, downloaded 43,892 case-management lists, and leaked them. These included client names, litigation opponents, case titles, and case numbers.
From the directory where litigation materials were stored, the hacker also stole and leaked 185,047 litigation-related documents (1.59 TB). The documents included complaints, judgments, statements, evidentiary documents, bank transaction statements, criminal ledgers, ID cards, medical certificates, and copies of bankbooks. Many of the documents contained personal information such as names, contact information, addresses, resident registration numbers, account numbers, criminal information, and sensitive health information.
From August to September last year, the hacker planted ransomware malware on Logos' mail server, executed it, and paralyzed the server. At the time, Logos could not use the server and built a new related system.
According to the Personal Information Protection Commission's investigation, Logos did not restrict access permissions to its internal system by IP address or other means and neglected access control measures to detect and respond to attempts to leak personal information. Even when accessing the system from outside, it was possible to log in with only an ID and password, without an authentication method.
It also neglected to check for and remedy vulnerabilities on its webpages and was found to have stored resident registration numbers, account numbers, and passwords without encryption. It did not establish retention periods for personal information in storage or specific destruction criteria.
In particular, although Logos became aware of the personal information leak on Sept. 5 last year, it did not notify until Sept. 29 this year, more than a year later.
The Personal Information Protection Commission said, "We consider Logos' violations to be very serious," and issued a corrective order to strengthen overall personal information protection and management systems, including bolstering safety measures to prevent a recurrence of leaks, encrypting key personal information and establishing clear destruction guidelines, and setting up an incident response framework.