Republic of Korea: Issued PIPC fines to Digital Daesung and Hicon Corp. for breaching Personal Information Protection Act

On 27 March 2024, the Personal Information Protection Commission (PIPC) in the Republic of Korea conducted an investigation. Digital Dae Sung and Hicon Corp. were fined a total of KRW 893 million and penalised KRW 13.5 million for breaching the Personal Information Protection Act. The providers were found to have violated safety measures and notification duties under the Act, which led to the exposure of their users' personal information through hacking attacks. Digital Daesung's failure to properly manage its security policies resulted in a credential stuffing and XSS attack, compromising the data of over 95'000 users. This was due to inadequate detection and prevention of excessive login attempts and overlooked website vulnerabilities. In another case, Hicon Corp. failed to maintain an intrusion detection system and secure authentication methods for administrator access, allowing 15'143 members' personal information to be compromised through web vulnerabilities and brute force attacks. The ruling emphasises the need for personal information handlers to install and operate intrusion detection and leakage systems appropriate to their operating environments, conduct regular vulnerability scans, and use secure authentication methods when accessing personal information processing systems from external sources. The PIPC plans to conduct targeted inspections of Internet lecture providers and companies using biometric information in the education sector to improve personal information management and address vulnerabilities.