Republic of Korea: Personal Information Protection Commission imposed KRW 81.01 million fine and KRW 7.2 million penalty surcharge on Moncler for violations of Personal Information Protection Act

On 10 September 2025, the Personal Information Protection Commission (PIPC) imposed an administrative fine of KRW 81.01 million and a penalty surcharge of KRW 7.2 million on Moncler Korea for violations of the Personal Information Protection Act, specifically Section 29 and Section 39-4(1). The violations were due to insufficient implementation of security safeguards and delayed notification of a personal data breach. The breach, which occurred in December 2021, involved a hacker’s unauthorised acquisition of administrator account credentials and deployment of malicious software to exfiltrate approximately 230'000 individuals’ personal data before encrypting existing data. Moncler detected the breach on 17 January 2022 but provided notice to data subjects and the regulator on 20 January 2022, thereby failing to meet the then-mandated 24-hour notification period, and formally reported it to the Commission on 22 January 2022. The PIPC ordered the publication of the sanction and emphasised that personal information controllers must require operators accessing personal information systems via information networks to use secure additional authentication measures.