Korea's Data Privacy Authority Imposes Penalties on Businesses for Failing to Safeguard Personal Data

Key Takeaways

• BusinessOn's Security Breach: Hit with a KRW 137 million penalty after hackers used SQL injection to leak personal data of over 179,000 users.
• NHN WETOO's Missteps: Fined KRW 61.1 million for neglecting to secure sensitive customer data and failing to delete outdated databases, affecting over half a million records.
• The PIPC's Urgent Call: Personal data processors must step up their game with regular security audits and strong protections like web application firewalls (WAFs).

Deep Dive

South Korea's Personal Information Protection Commission (PIPC) has cracked down on two companies for major security oversights that put users’ personal data at risk. This recent decision, made at the PIPC’s fourth plenary meeting of the year, should serve as a wake-up call to businesses that think data security is an afterthought.

Let’s talk about BusinessOn, the company behind 'Smart Bill,' an electronic invoicing service that has long been trusted by businesses across the country. Unfortunately, their failure to lock down basic security measures led to a breach that exposed personal details—names, email addresses, IDs, and even passwords—of 179,386 users. How did it happen? Hackers exploited a common yet preventable vulnerability called a Structured Query Language (SQL) injection, where malicious code was inserted into the system’s entry fields, corrupting its database and allowing unauthorized access.

To make matters worse, BusinessOn didn’t just miss the mark on protecting their system—they failed to restrict access control, leaving the system open for exploitation. And if that wasn’t bad enough, they didn’t report the breach to the PIPC in a timely manner. The Commission wasn’t having it. In response, they slapped the company with a penalty of KRW 137 million for the violation and a fine of KRW 2.7 million for failing to report the breach. BusinessOn was also instructed to take corrective action and publish the sanctions on its website.

Neglecting Basic Security Standards Leads to Data Spill

‍Then there’s NHN WETOO, the operator behind the ‘Gabangpop’ online marketplace for fashion goods. Here’s a company that handled sensitive personal data, including residents’ registration numbers (RRNs), but somehow managed to overlook some pretty critical security basics. Hackers exploited a vulnerability in NHN WETOO’s system, which led to the leakage of 534,903 records—data belonging to both sellers and customers. The breach was made possible by a few key oversights: NHN WETOO continued running a legacy system that hadn’t been updated with proper security measures, and—perhaps most glaringly—their Web Application Firewall (WAF) was turned off.

To top it off, NHN WETOO didn’t destroy an outdated database that contained sensitive data, including those very RRNs. The law clearly states that these numbers must be destroyed once they’ve outlived their usefulness. This is an area where the company dropped the ball, and the PIPC was quick to act. They imposed a penalty of KRW 61.1 million and a fine of KRW 9.6 million, in addition to ordering the company to publish the sanction results on their site.

What Does This Mean for Businesses?

‍So, what can we learn from this? It’s not enough to just put a system in place and hope for the best. Businesses that handle personal data need to be proactive—constantly reviewing their systems, monitoring for vulnerabilities, and ensuring that their data processing practices comply with the law. The PIPC is urging companies to implement safeguards like web application firewalls and input validation, which are crucial for preventing attacks like SQL injection. The Commission also stresses the importance of regularly checking in with security protocols and consulting with experts like the Korea Internet & Security Agency (KISA) to stay on top of evolving threats.

The bottom line is this: data security isn’t optional, and businesses can no longer afford to treat it as an afterthought. As these cases show, the consequences of negligence can be severe—not just financially, but in terms of reputation and user trust. It's time for companies to take a hard look at their security practices before they face the next cyberattack.

Ultimately, the PIPC’s decision is more than just about penalties. It’s a loud reminder to businesses of all sizes that the stakes are higher than ever when it comes to protecting personal data. In today’s digital world, businesses must continuously assess and update their security measures. Anything less could lead to costly consequences, as evidenced by these two high-profile breaches. So, to all businesses handling personal data, it’s time to take your security seriously, or risk paying the price.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.