Song Kyung-hee, Chairperson of the Personal Information Protection Commission, speaks at the full committee meeting of the Personal Information Protection Commission held on March 25 at the Government Complex Seoul in Jongno-gu, Seoul. (Yonhap News)
The Personal Information Protection Commission imposed a penalty of approximately 500 million won on Boram Funeral Development for causing a personal information leakage incident affecting over 20,000 individuals.
The commission announced on the 14th that during a full meeting held on the 13th, it decided to impose a fine of 542.5 million won and an administrative fine of 11.4 million won on Boram Funeral Development and six other businesses under the Boram Group for violating personal information protection laws.
The commission’s investigation found that Boram Funeral Development neglected safety measures such as access control to customer database systems while it was entrusted with customer relationship management tasks, including online customer consultations, from six subsidiaries within the Boram Group. As a result, in May 2024, a hacker exploited vulnerabilities on their website to break into the database and steal personal information of over 20,000 customers, including names, mobile phone numbers, and email addresses. Furthermore, the company failed to promptly notify the information subjects after recognizing the leak and was found to have been retaining previously held personal information without destroying it.
Meanwhile, the Personal Information Protection Commission reported that most corrective orders it issued in the second half of last year to companies violating personal information protection laws were completed. Of the 222 corrective orders issued last year, 211 cases (95%) have been executed or had plans for execution submitted. Specifically, the commission confirmed through on-site inspections that SK Telecom, which experienced a large-scale personal information breach last year, has formulated and implemented preventive measures for recurrence. This included strengthening safety measures such as identification and full inspection of personal information processing systems, encryption of USIM authentication keys, and important information.