Republic of Korea: Issued Ruling in PIPC Investigation of 3 Businesses for Violations of the Personal Information Protection Act

On 14 June 2023, the Personal Information Protection Commission (PIPC) fined Interpark Co Ltd., Paxnet Co Ltd., and Ribbons Co Ltd for violations of security standards in the Personal Information Protection Act. Interpark, an online brokerage platform, experienced a stuffing incident and exacerbated the consequences of the incident by not installing a blocking policy that would hinder continuous access attempts from the same IP address. Apart from corrective measures, a fine of KRW 102.6 million was issued as well as a penalty of KRW 3.6 million. Paxnet, a financial investment platform, also experienced a credential-stuffing incident. However, the company was unjustifiably late in notifying its user base as well as the relevant authorities. A fine of KRW 34.84 million and a penalty of KRW 11 million were issued. Finally, Ribbons, an IP infrastructure and packet and optical networking solutions, failed to impose substantial security measures such as restricting access to their development server with their personal information processing system (Amazon Web Services) or other means. Illegal access was therefore facilitated by the company and as a result, over 1 million units of personal data were leaked. Fines and penalties amounted to KRW 172.01 million and KRW 4.2 million respectively.