Luxury brands Louis Vuitton, Dior and Tiffany, which leaked a large amount of member personal information, were hit with more than 36.033 billion won in penalty surcharges.
The Personal Information Protection Commission said on the 12th that it held a full meeting on the 11th and imposed a penalty surcharge of 36.033 billion won and fines of 10.8 million won on three luxury brands—Louis Vuitton Korea, Christian Dior Couture Korea and Tiffany Korea—for violating the Personal Information Protection Act, and ordered them to publicly disclose the disposition.
All three luxury brands were found to have suffered personal information leaks while using software-as-a-service (SaaS)-based customer management services.
At Louis Vuitton, an employee's device was infected with malware and the software-as-a-service account information was stolen by a hacker. As a result, the personal information of about 3.6 million people was leaked in three separate incidents from June 9 to 13 last year.
Louis Vuitton introduced and operated the software-as-a-service starting in 2013 to manage purchasing customers and more. However, it did not restrict access privileges by Internet Protocol (IP) address and did not apply secure authentication measures when personal information handlers accessed the system externally.
Accordingly, the Personal Information Protection Commission imposed a 21.385 billion won penalty surcharge on the National Aviation Museum of Korea and ordered the business to disclose the disposition on its website (homepage).
At Dior, a customer center employee was deceived by a hacker's voice phishing and granted the hacker access privileges to the software-as-a-service. In the process, the personal information of about 1.95 million people was leaked.
Dior introduced and operated the software-as-a-service from 2020 to manage purchasing customers and more. However, it did not restrict access privileges by IP address and did not limit the use of tools that support mass data downloads. Furthermore, it did not check access logs—such as whether personal information was downloaded—at least once a month, and was found to have failed to confirm the leak for more than three months.
According to the Personal Information Protection Commission, even after Dior recognized the personal information leak on May 7 last year, it provided leak notifications after 72 hours without justifiable reason.
Accordingly, the Personal Information Protection Commission imposed 12.236 billion won and fines of 3.6 million won on Dior.
At Tiffany as well, a customer center employee was deceived by a hacker's voice phishing and granted the hacker access privileges to the software-as-a-service, leaking the personal information of about 4,600 people. Tiffany likewise did not restrict access privileges by IP address and did not limit the use of tools that support mass data downloads. As with Dior, Tiffany notified users after more than 72 hours following recognition of the leak and also delayed its report.
The Personal Information Protection Commission imposed a 2.412 billion won penalty surcharge and fines of 7.2 million won on Tiffany.
The Personal Information Protection Commission said, "Recently, many corporations have been introducing and operating software-as-a-service from global conglomerates for reasons such as reduced initial build expense and maintenance efficiency," adding, "However, when only expense and convenience are considered on the basis of trust in software-as-a-service, there is a concern that securing the safety of personal information may be neglected, so caution is required."
It emphasized that even when software-as-a-service is used for customer management and more, it constitutes a personal information processing system, so it is necessary to differentially grant access privileges to the minimum scope required to perform duties, restrict by IP address, and apply secure authentication methods such as one-time passwords (OTP).
The Personal Information Protection Commission said, "Even when corporations introduce software-as-a-service, their responsibility to securely manage personal information is neither exempted nor transferred, so personal information handlers must fully apply the personal information protection functions provided by the service to prevent personal information leaks."