On April 24, 2024, the Personal Information Protection Commission (PIPC) published its decision in which it imposed fines totaling KRW 244 million (approx. $177,385) on six businesses for violations of the Personal Information Protection Act (PIPA).  

Background to the decision 

The PIPC stated that while providing online services, the businesses violated safety measures and obligations to include notification of personal information leaks under the PIPA. 

D.S.En Co., Ltd., a company that operates an online pizza ordering service, underwent a system development error that permitted anyone to access customers' order information by entering the administrator page address. The administrator page was also exposed to search engines and personal information was leaked. In addition, upon user consent order information was to be kept for only one year, but data was kept beyond that period. Personal information was also held by another company, Mr. Pizza Co., Ltd., and kept beyond the expiration time without destroying it.  

Yanolja Co., Ltd. utilized cloud data storage with settings that allowed anyone with the address to access customers' personal information. In this instance, at least 794 customers' personal information could be seen.  

STG24, Inc., an online shopping mall, mismanaged website visitor information that allowed personal data to be duplicated. As a result, during a contest the gift receipt information for some winners, around 173 people, was stored and viewed by other winners.  

Funit Co., Ltd. and Hiplay Co., Ltd. underwent a data breach and the administrator account was accessed causing a leak of personal information. Specifically, the PIPC stated that Funit confirmed a hacker accessed the administrator account, checked member information, and sent text messages to 20,196 members. The PIPC also mentioned that no secure authentication method besides password and ID was utilized.  

Regarding Hiplay Co., Ltd., a hacker accessed the management program with an administrator account and leaked 1,409 pieces of personal information. Additionally, users were not notified when information was transferred from another business and users' resident registration numbers were collected without a legal basis. 

Findings of the PIPC 

The PIPC highlighted that five of the companies, namely, D.S.En, Yanolja, STG24, Funit, and Hiplay failed to report data leaks or complete the required notification within 24 hours after recognizing the data leaks, thereby violating the leak notification and reporting requirements under the PIPA.  

The violations were as follows:  

• D.S.En failed to destroy personal information, lacked proper safety measures, and did not notify the PIPC regarding the leak in the time required in violation of Articles 21, 29, and 39 of the PIPA; 

• Mr. Pizza failed to destroy personal information in violation of Article 21 of the PIPA;

• Funit, Yanolja, and STG24 lacked proper safety measures and did not notify the PIPC regarding the leak in time, in violation of Articles 29 and 39 of the PIPA; and 

• Hiplay failed to restrict the processing of social security numbers properly, failed to limit the transfer of personal information according to the transfer of business information, lacked proper safety measures, and did not notify the PIPC regarding the leak in time, in violation of Articles 24, 27, 29, and 39 of the PIPA. 

Outcomes 

Considering the above, the PIPC issued fines totaling KRW 244 million (approx. $177,385). The following fines were imposed on each company:  

• D.S.En – KRW 74.99 million (approx. $54,485);

• Mr. Pizza – KRW 3.6 million (approx. $2,615);

• FunIt – KRW 91.39 million (approx. $66,415); 

• Yanolja – KRW 35.41 million (approx. $25,730); 

• STG24 – KRW 23.04 million (approx. $16,740); and 

• HiPlay – KRW 15.66 million (approx. $11,380). 

You can read the decision, only available in Korean, here.