Republic of Korea: Personal Information Protection Commission issued a ruling with a fine against Sectanaine Ltd. for data breach from credential stuffing attack

On 12 February 2025, the Personal Information Protection Commission issued a ruling against Sectanine Ltd. with a penalty of KRW 14.77 billion and a fine of KRW 7.2 million for violations of personal data protection laws. The ruling applies to two data breaches in 2022 and 2023, affecting over 17,000 individuals. Sectanine is a computer system design company that operates the 'Happy Point' membership service, which was the platform affected by the data breaches. The personal data of users who participated in the Happy Point program, including names, identity information, genders, birthdates, and Happy Point card numbers, were compromised during the attacks. The ruling highlighted that the company failed to implement sufficient security measures to protect personal data, resulting in unauthorised access through credential stuffing attacks. The ruling requires the company to publicly disclose the ruling on its website and take action to strengthen data protection measures and prevent future breaches.