Republic of Korea: Personal Information Protection Commission imposed fined and corrective measures on Merck, DR Plus, and OnFlat

On 11 June 2025, the Personal Information Protection Commission imposed sanctions on three businesses, DR Plus, Onflat, and Merck, for violations of the Personal Information Protection Act. The measures included fines, surcharges, corrective orders, and requirements to publicly disclose the outcomes of the investigations. DR Plus, which operates an online used car sales brokerage platform, was sanctioned following a data breach that affected at least 98 individuals. The breach was caused by a SQL injection attack. The investigation revealed that the company had failed to encrypt users’ resident registration and account numbers, did not implement secure authentication for external access to its personal information processing system, and did not maintain access logs. DR Plus was fined KRW 40.82 million. Onflat, an online payment agency service, experienced a similar breach affecting at least 80 individuals. The Commission found that the company had not implemented input validation measures to prevent SQL injection attacks. As a data processor under the previous legal framework, Onflat was issued a corrective order and required to disclose the corrective measures but was not fined. Merck, a pharmaceutical company, was fined for a data leak related to a newly launched service. The Commission underscored the importance of conducting thorough security assessments before launching new services and maintaining ongoing protection against common web vulnerabilities.