The Personal Information Protection Commission imposed a 530 million won penalty surcharge on Tmoney Co., which caused a large-scale personal data leak. NHN Commerce, which had been negligent in managing the security of its shopping mall solution, was also hit with a penalty surcharge and fines.
The Personal Information Protection Commission said on the 29th that it imposed a 530 million won penalty surcharge on Tmoney Co. for neglecting its duty to take safety measures for personal information protection and ordered the company to disclose the imposition on its website. It also issued a corrective order requiring the establishment and implementation of measures to prevent recurrence.
An investigation found that in March last year, a hacker carried out a credential stuffing attack on the "Tmoney Card&Pay" website, leaking personal data including the names, emails, mobile phone numbers and addresses of 51,691 people. During the attack period, login attempts jumped 68 times compared with normal levels, and more than 12 million login attempts were made from 9,647 IPs at home and abroad.
In the process, about 14 million won worth of T-mileage from 4,131 accounts was also stolen through the gifting function. The Personal Information Protection Commission determined that Tmoney Co. recognized anomalies such as mass login attempts but failed to properly take intrusion detection and blocking measures.
The Personal Information Protection Commission also imposed an 8.7 million won penalty surcharge and 4.5 million won fines on NHN Commerce, where a personal data leak occurred due to lax security management of a shopping mall solution. It was found that an SQL injection attack occurred in the legacy solution "eNamu" provided by NHN Commerce, leading to the leak of 122 instances of purchaser personal information at 17 shopping malls.
NHN Commerce reported the leak to the authorities, but the fact that it did not notify the affected merchant users in a timely manner was also recognized as grounds for sanctions.