PIPC Slaps Woori Card with Over $9.1 Million Fine for Data Breach

Key Takeaways

• Purpose Limitation: Personal data must be used strictly for the purpose it was originally collected. Deviation from this can lead to severe penalties.
• Access Control: Role-based access control is essential to limit who can view and use sensitive personal data. Overly broad access leads to massive security risks.
• Supervision is Key: Regular monitoring and supervision of data handling practices are non-negotiable. Companies must take a proactive approach to ensure data security.
• Financial Services Must Act: The financial sector, in particular, needs to carefully review its data processing practices to ensure compliance with the PIPA.

Deep Dive

South Korea’s Personal Information Protection Commission (PIPC) has hit Woori Card with a massive fine of KRW 13.45 billion (roughly $9.1 million) following a major data breach. This decision comes alongside a set of corrective measures designed to overhaul the company’s data management practices, including stricter access controls, better employee training, and tighter oversight of personal information handling.

This story began when employees at Woori Card’s Incheon sales branch decided to misuse merchants’ personal data in their pursuit of boosting credit card sales. Between July 2022 and April 2024, they accessed sensitive merchant information—like phone numbers, resident registration numbers (RRNs), and addresses—by entering merchants’ business registration numbers into the company’s system. The data was then used for marketing purposes, reaching out to at least 131,862 merchants.

But the story didn’t end there. Things got even worse when employees went beyond their job descriptions and shared over 200,000 merchants' sensitive data with external sales representatives. And, between January and April 2024, more than 75,000 merchants' information was emailed over 100 times. Some merchants didn’t even consent to their data being shared for marketing, making this breach even more troubling.

A Clear Case of Misuse

Woori Card's handling of the data violated the Personal Information Protection Act (PIPA), which strictly limits how personal data can be used. The information was collected for merchant management purposes only, but Woori Card used it to pursue marketing goals—without securing the proper consent from the affected merchants. This violation is a direct breach of Article 18(1) of the PIPA.

Worse still, Woori Card’s oversight of its internal data management was seriously lacking. The company failed to implement role-based access control (RBAC), a crucial safeguard that limits access to personal data. Employees had unrestricted access to sensitive data, and despite the sheer volume of views and downloads (30 million per month on average), the company did little to monitor or address the situation.

The fine of KRW 13.45 billion is just the beginning. The company now faces corrective orders designed to prevent future breaches, including implementing more robust access controls, tightening internal data management protocols, and improving employee training on compliance. The company has also been instructed to publish the details of the sanction on its website, ensuring accountability.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.