Last year, the number of reported personal data breaches was 447, up 46% from a year earlier.
The Personal Information Protection Commission and the Korea Internet & Security Agency (KISA) said on the 15th they published the "2025 personal data breach report trends and investigation/disposition cases."
According to the report, a total of 447 personal data breach reports were filed last year, a 45.6% increase from the previous year (307).
By cause, hacking was the most common with 276 cases (62%), followed by work negligence with 110 (25%) and system errors with 24 (5%). Among hacking types, malware infections such as ransomware and web shell attacks accounted for the largest share with 96 cases (35%).
Last year, the Personal Information Protection Commission conducted a total of 227 investigations and dispositions. Of these, penalty surcharge orders were issued in 40 cases for a total of 167.7 billion won, and fines were imposed in 125 cases for a total of 587.2 million won. The combined amount of penalty surcharges and fines increased 172% (108.3 billion won) from the previous year.
In the public institutional sector, there were 77 dispositions in total; public institutions accounted for 41 (53%), the most, and central administrative agencies and constitutional institutions accounted for 22 (29%). In the private institutional sector, there were 150 dispositions in total, with small and midsize enterprises accounting for 75 (50%).
Of the 227 total investigations and dispositions, 115 were personal data breach cases. By cause, work negligence was the most common with 53 (46%), followed by hacking with 52 (45%) and system errors with 8 (7%). However, penalty surcharges for hacking totaled 144 billion won, accounting for 91% of the total.
The Personal Information Protection Commission said personal data breaches via ransomware have been increasing since last year, and it urged applying the latest security updates to operating systems and security equipment, conducting regular simulated training on malicious emails, operating secure backup systems, strengthening access controls, and encrypting personal data in databases. Meanwhile, starting Sept. 11, businesses that leak large volumes of personal data due to intent or gross negligence can be fined a penalty surcharge of up to 10% of total sales.