The Personal Information Protection Commission (PIPC), an independent administrative agency established to oversee the handling and protection of personal data, has imposed a total fine of 542.5 million won ($540,000) and an additional penalty of 11.4 million won ($11,400) on Boram Development and six other affiliates of the Boram Group for violating the Personal Information Protection Act.
On May 13, during its ninth plenary session, the PIPC approved the fines and corrective measures against Boram Development and its six affiliates, which include Boram Leaders, Boram Life, Boram People, Boram Anycall, Boram Siloam, and Boram Plus.
The PIPC began its investigation after receiving a report of a data breach from Boram Development in May 2024.
The investigation revealed that Boram Development had been managing customer personal information from six affiliates as part of its customer relationship management (CRM) operations. However, it was found that the company failed to implement adequate safety measures, such as access control management and security vulnerability assessments, during the operation of its systems.
The PIPC determined that hackers exploited vulnerabilities on the company's website through an SQL injection attack, gaining access to the database and leaking customer information, including names, mobile phone numbers, and email addresses.
As a result, the PIPC imposed a fine of 531 million won ($530,000) on Boram Development for failing to comply with safety measures. An additional penalty of 11.4 million won was levied for delays in notifying affected customers and for not destroying personal data that was retained beyond its retention period.
Furthermore, the six affiliates were fined a total of 11.5 million won ($11,500) for neglecting their responsibilities in managing and supervising the handling of personal data. The PIPC ordered these companies to publicly disclose the details of the sanctions on their websites.
In addition, the PIPC issued a corrective order requiring the Boram Group to review its overall personal data handling practices and management systems, as well as to enhance transparency in its contractual relationships with service providers. This is aimed at improving the overall level of personal data protection across the Boram Group.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.