Republic of Korea: Issued ruling in investigation into Samsung Securities over personal data leakage

On 22 March 2023, the Korean Personal Information Protection Committee (PIPC) issued its ruling in the investigation into Samsung Securities Co. (Samsung), imposing a fine of KRW 98 million and a penalty of KRW 3.6 million. The PIPC found that Samsung did not adhere to a number of data protection standards. Firstly, PIPC found that Samsung failed to correctly protect its data once a web server setting error occurred, which caused a directory listing vulnerability. Additionally, Samsung failed to implement the necessary measures to ensure the security of the data it stored. In particular, Samsung did not implement authentication procedures when logging in to the administrator page, which facilitated the leakage of the personal data of 48’122 customers. Finally, as required by law, Samsung failed to preserve the access records of the personal data processing system for one year and kept records only for a month.