PIPC Sanctions Modetour Network for Data Breaches

Key Takeaways

• Massive Data Breach: Hackers exploited website vulnerabilities at Modetour Network, exposing personal information of over 3 million individuals.
• Sanctions Imposed: The PIPC fined Modetour KRW 747 million for violations and KRW 10.2 million for wrongdoing, with a requirement to disclose the results publicly.
• Failure to Safeguard Data: Modetour failed to implement proper security measures, delay notification of the breach, and neglected to destroy unnecessary personal data.
• Improvement Orders: The PIPC urged Modetour to improve its data protection practices and ensure compliance with the PIPA in the future.

Deep Dive

The Personal Information Protection Commission (PIPC) of South Korea has penalized Modetour Network Inc. for mishandling a major data breach. The commission’s ruling, announced on March 12, 2025, includes a hefty fine of KRW 747 million (roughly $521,275), along with a KRW 10.2 million ($7,022) fine for additional wrongdoings, making it clear that the company’s failure to protect sensitive customer data will not go unpunished.

The breach itself dates back to July 2024 when hackers took advantage of vulnerabilities on Modetour’s website to upload web shell files. These malicious files allowed the attackers to execute harmful code, leading to the leak of personal data belonging to over 3 million individuals — including both customers and non-customers of the travel agency. The compromised data included sensitive information such as names (in both Korean and English), birthdates, gender, and contact details.

The investigation that followed revealed a string of security lapses. Modetour had not properly examined the files being uploaded to its system, missing potential red flags that could have prevented the breach. Worse yet, the company’s access controls were not up to par, which meant that the breach went undetected for longer than it should have.

Adding to the severity of the situation, Modetour failed to destroy personal information that it no longer had a legitimate need to keep — including data on non-members collected as far back as 2013. The company’s inability to adhere to proper data retention and destruction protocols allowed the breach to have a far-reaching impact. But perhaps the most damaging part of the story was Modetour’s delayed notification of the breach. The company waited a full two months before informing those affected — a clear violation of the Personal Information Protection Act (PIPA), which mandates that such notifications should be made within 72 hours of discovering a breach.

The PIPC’s ruling is not just about the penalties — it’s a clear message to all businesses handling personal information: take your security measures seriously, act swiftly when a breach occurs, and ensure that data is properly deleted when no longer needed. The fine of KRW 747 million for violations and the KRW 10.2 million for wrongdoing reflect the seriousness with which the commission views these failures. In addition to the financial penalties, Modetour was also ordered to publish the sanction results on its website and make significant improvements to its internal privacy protection systems.

This ruling highlights the growing importance of data privacy and serves as a warning to companies handling vast amounts of sensitive information. Businesses must step up their efforts to safeguard customer data, implement effective security protocols, and respond quickly when breaches occur. For Modetour, the financial and reputational consequences of this breach will be far-reaching, and they serve as a harsh reminder that negligence in data protection is not something that can be overlooked.

The PIPC has also urged the company to take swift action to improve its security practices to prevent future breaches and ensure compliance with the PIPA moving forward.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.