U.S. game company 2K Games and the Busan Finance Center were hit with a total of 3.0071 billion won in penalty surcharge and fines for massive leaks of personal information due to inadequate security measures.
The Personal Information Protection Commission said on the 11th that it held its 26th plenary meeting on the 10th and resolved to impose 2.0171 billion won in penalty surcharge and fines on 2K Games for violating personal information protection laws, and 990 million won on the Busan Finance Center.
In the case of 2K Games, a hack of its personal information processing system in 2022 led to the leak of personal information of about 12,906 domestic data subjects who used the game help desk. The hacker obtained a 2K help desk manager's account information by unknown means, accessed the administrator page, and leaked the personal information of 4 million help desk users worldwide, including about 12,906 domestic data subjects.
According to the Personal Information Protection Commission's investigation, since 2011, while operating the help desk, 2K neglected to apply additional secure authentication methods beyond ID and password when personal information handlers accessed the personal information processing system over a communications network.
In the case of the Busan Finance Center, a hacker attempted to log in to the work management system the center was operating last year up to 433 times per minute (a total of 28,072 times) and broke in. After logging in, the hacker executed ransomware, encrypted files on the server, and left a ransom note (threat message). The work management system contained personal information of 177 people, including executives and employees, and it was found that, due to the ransomware attack, personal information such as resident registration numbers was damaged beyond recovery.
The Personal Information Protection Commission said, "At the time of the incident, the Busan Finance Center switched and configured the work management system to a public IP to link it with groupware installed in the cloud, allowing hacker access for about five days."
It was found that since Apr. 2020, while installing and operating the internal work management system, the center did not install or operate separate security equipment such as a firewall. It also failed to keep Windows operating system security updates current and was confirmed to have stored resident registration numbers without encryption.
Regarding this investigation and disposition, the Personal Information Protection Commission emphasized, "Particular care is needed, such as periodically backing up and storing major files such as personal information databases separately."
It also urged that when personal information handlers access personal information processing systems such as administrator pages over a communications network, they should log in using secure authentication methods beyond ID and password, such as one-time passwords (OTP).