Republic of Korea: Issued ruling in PIPC investigation into PayPal’s compliance with Personal Information Protection Act

On 25 October 2023, the Korean Personal Information Protection Commission (PIPC) ruled PayPal had violated the Personal Information Protection Act and imposed a KRW 906 million fine and a KRW 16.2 million penalty. The PIPC stated that PayPal failed to implement safety measures and unlawfully delayed notifying data breaches. PIPC began an investigation in December 2021 after PayPal reported that the personal information of Korean users had been leaked due to the hacking of the remittance function and an incident of email fraud of an employee in January 2023. An additional report was made that personal information had been leaked due to a credential stuffing attack, and a total of three leak incidents were investigated together.