The Personal Information Protection Commission imposed a total of 177.6 million won in penalty surcharge and 5.4 million won in fines on three operators—Ezen, Duzon Housing, and Leisure Plus—after member personal information was leaked due to SQL injection attacks.
The Personal Information Protection Commission said on the 21st that it held a plenary meeting the day before and voted to announce these results.
A SQL injection attack is a technique that executes specific commands by entering "SQL code" into website input fields such as search, login, and bulletin boards. Through this process, hackers can bypass logins and steal data.
Ezen, an online educational content service provider, suffered a leak of personal information—such as names, phone numbers, and emails—of 69,930 members due to SQL injection attacks targeting its website over three years from August 2021 to August 2024, and the data was posted on Telegram. Among them, more than half, or 35,454 people (50.7%), had resident registration numbers leaked without encryption.
The investigation found that Ezen neglected vulnerability checks and remediation for SQL injection attacks and failed to adequately detect and block attempts to leak personal information. It also confirmed insufficient encryption of resident registration numbers and delays in notifying and reporting the leak of personal information. Accordingly, the Personal Information Protection Commission imposed a penalty surcharge of 60.6 million won and fines of 5.4 million won on Ezen.
Duzon Housing, a construction specialist, also had personal information—such as user IDs, passwords, names, and phone numbers—of 33,879 members leaked and posted on Telegram in December 2023 due to a hacker's SQL injection attack.
Duzon Housing was found not to operate a system to detect and block SQL injection attacks in advance and to have been insufficient in checking and remediating vulnerabilities. Additional issues confirmed included inadequate encryption of member passwords and poor management of databases (DB) access logs. The Personal Information Protection Commission imposed a penalty surcharge of 55.8 million won on Duzon Housing.
Leisure Plus, which operates a golf course reservation platform service, suffered leaks of personal information—such as customer names, mobile phone numbers, and passwords—of 160,807 members due to two SQL injection attacks in September and October 2024. According to the Personal Information Protection Commission, Leisure Plus neglected to manage vulnerabilities related to SQL injection attacks and failed to detect attempts to leak personal information in advance. Encryption of member passwords was also insufficient. The Personal Information Protection Commission imposed a penalty surcharge of 61.2 million won on Leisure Plus.
The Personal Information Protection Commission said, "SQL injection attacks carry a high risk of large-scale personal information leaks because databases that store a large amount of information are attacked directly," and added, "Based on the results of this investigation, we will prepare and provide prevention guidelines for operators."