Republic of Korea: Personal Information Protection Commission fined Modutour Network KRW 757.2 million for personal information leaks

On 13 March 2025, the Personal Information Protection Commission (PIPC) issued a fine of KRW 757.2 million on Modutour Network Co. Ltd. (Modutour) for leaks of personal information in violation of the Personal Information Protection Act. The penalty follows an investigation into a June 2024 cyberattack, in which an unidentified hacker exploited a file upload vulnerability on Modutour’s website to install web shell files, enabling the extraction of personal data from approximately 3.06 million customers. The PIPC found that Modutour failed to implement adequate security measures, including access controls and file upload restrictions, and had retained non-member personal data beyond its retention period. Additionally, the company delayed notifying affected individuals for two months despite legal requirements to do so within 72 hours. Alongside the fine, the PIPC ordered Modutour to publicly disclose the penalty and improve its internal data protection measures to prevent future breaches.