Enhanced Law Enforcement on Personal Information Protection, Negligence in Managing File Servers within Business Networks,
,
,
, ‘A golf zone that leaked personal information of over 2 million customers was fined 75 billion won. This is the first substantial case applying the strengthened Personal Information Protection Act enacted last year.’,
,
, ‘The Personal Information Protection Commission fined the golf zone 75.4 billion won and imposed a 5.4 million won penalty, along with corrective and public disclosure orders.’,
,
, ‘Last November, the golf zone was hit by ransomware attack by hackers. During this process, the hackers stole the virtual private network account information of golf zone employees. They then remotely accessed files on the business network’s file server and leaked them to the dark web.’,
,
, ‘As a result, personal information of over 2.21 million customers and employees was leaked, including names, phone numbers, emails, birthdates, and IDs. In addition, approximately 5,800 resident registration numbers and 1,600 account numbers were also leaked.’,
,
, ‘The Personal Information Protection Commission investigated the golf zone’s compliance with the Personal Information Protection Act in response to this leakage incident.’,
,
, ‘As a result, it was revealed that the golf zone was unaware that a large amount of personal information, including resident registration numbers, was stored and shared on the file server used by all employees. ‘,
,
, ‘During the COVID-19 period, the golf zone hastily introduced a new virtual private network, allowing external access to the internal business network with just an ID and password. It was found that despite the possibility of remote access to the server from external sources and unnecessary access, safety measures to prevent personal information leakage were neglected.’,
,
, ‘Furthermore, the golf zone stored and retained resident registration numbers and other information on the file server without encryption. Violations were also found for not destroying the personal information of at least 380,000 individuals that had become unnecessary due to expiration of retention periods.’,
,
, ‘The Personal Information Protection Commission stated that this incident marks the first practical application of the revised Personal Information Protection Act aimed at enhancing corporate accountability. The revised regulation raises the maximum limit of fines from 3% of violation-related revenue to a maximum of 3% of total revenue. ‘,
,
, ‘Kang Dae-hyeon, a section chief at the Personal Information Protection Commission who led the investigation, explained that “the fine was calculated based on the average revenue from 2020 to 2022, the 3 years prior to the incident”, adding that “revenue from business sectors that do not utilize customer personal information was excluded.” He further elaborated, saying, “This is the first practical application of the legal intent in a large-scale information leakage case.”‘,
,
, ‘Kang emphasized that “stringent personal information protection measures should be applied even in internal business areas handling customer information” and expressed expectations that “the level of personal information protection throughout business operations will be enhanced.” ‘,
,
,
