Republic of Korea: Personal Information Protection Commission opened investigation into Salesforce over potential personal data protection vulnerabilities

On 11 June 2025, the Personal Information Protection Commission (PIPC) announced a fact-finding procedure regarding potential personal data protection vulnerabilities associated with Salesforce. The PIPC commenced verification of related system security and personal data protection measures following recent reports of attempted personal data acquisition targeting Korean companies using Salesforce solutions, including incidents involving voice phishing and malware installation allegedly impersonating IT staff. Concurrently, companies utilising Salesforce were urged to implement internal security audits, conduct phishing prevention training for staff, enforce multi-factor authentication for administrator accounts, and restrict access via designated IP addresses.