The Personal Information Protection Commission said on the 9th it imposed a 530 million won penalty surcharge and 5.4 million won in fines on LOCK&LOCK Co., Ltd., which leaked the personal information of about 1.3 million people.
At the 13th plenary meeting held on the 8th, the Personal Information Protection Commission decided to impose a total of 701 million won in penalty surcharges and 5.4 million won in fines on three businesses that violated the Personal Information Protection Act, including LOCK&LOCK Co., Ltd., Ubase Co., and Sunphoto, and to require them to disclose the disposition on each company's website.
A Personal Information Protection Commission investigation was found that LOCK&LOCK Co., Ltd. had a hacker exploit a security vulnerability in its mail server in Apr. 2024 to break into its internal system and then, in late May of the same year, leak member databases. Later, in Nov. of the same year, the hacker was found to have broken in again and additionally exfiltrated work files stored on the file server and employees' personal information.
In the process, personal information of about 1.3 million members and 1,111 cases of employee personal information were leaked externally. The leaked data included not only member names, mobile phone numbers, and addresses, but also sensitive information such as copies of employees' resident registration cards and driver's licenses and bankbooks.
The Personal Information Protection Commission found that LOCK&LOCK Co., Ltd. failed to detect or block the abnormal high-volume traffic that occurred during the leak and recognized the leak only after receiving a blackmail email from the hacker. It also did not apply security patches for a security vulnerability disclosed in 2022, used the same password for administrator accounts on key servers, and did not encrypt unique identification information, among multiple violations of safety measures obligations that were found.
It also confirmed that 49,466 items of employee personal information and information on buyers from closed stores were not destroyed. Accordingly, the Personal Information Protection Commission imposed a 530 million won penalty surcharge and 5.4 million won in fines on LOCK&LOCK Co., Ltd., and ordered the company to disclose the disposition on its website.
Ubase Co., which provides call center outsourcing services for corporations, had its main website administrator account hacked in 2024, leaking the names, phone numbers, email addresses, company names, and other data of 1,852 users of the inquiry board. The hacker was found to have posted the stolen personal information on Telegram.
Ubase Co. operated its system to allow external access to the administrator page but did not restrict access rights by Internet Protocol (IP) address and allowed access to the administrator page with only an ID and password, it was found. It was also confirmed that it did not properly store and manage access logs for the personal information processing system. The Personal Information Protection Commission imposed a 168 million won penalty surcharge on Ubase Co. and required the company to disclose the disposition on its website.
Sunphoto, a seller of photo and video equipment, had its administrator account hacked in 2024, leaking personal information of about 170,000 members and 13 order records. The leaked information included names, IDs, mobile phone numbers, and gender, and the hacker was found to have attempted voice phishing by impersonating a Sunphoto employee to one purchaser.
The Personal Information Protection Commission determined that Sunphoto likewise did not restrict access rights to the administrator page by IP address and violated safety measure obligations by failing to store and manage access logs for the personal information processing system. It imposed a 30 million won penalty surcharge and required the company to disclose the disposition on its website.