LGU+ Fined 6.8 Billion KRW, Record Penalty for 300,000 Personal Data Breach
![[Image source=Yonhap News]](http://www.asiae.co.kr/news/img_view.htm?img=2023071216482095473_1689148099.jpg)
On the 12th, the Personal Information Protection Commission announced that it imposed a fine of 6.8 billion KRW and a penalty of 27 million KRW on LGU+, where a personal information leakage incident occurred. It also decided on corrective measures to prevent recurrence, including a comprehensive system inspection and improvement of vulnerabilities.
The Personal Information Protection Commission has been conducting an investigation in cooperation with a joint public-private investigation team and the police regarding LGU+, whose personal information of about 600,000 cases (approximately 300,000 cases after removing duplicates) was disclosed on an illegal trading site by hackers in January.
According to the analysis by the Personal Information Protection Commission and the Korea Internet & Security Agency (KISA), the total confirmed leaked personal information was 297,117 cases (after removing duplicates), and the leaked items included 26 categories such as mobile phone numbers, names, addresses, dates of birth, email addresses, IDs, and USIM unique numbers. Among LGU+'s various systems, the system that stored data most consistent with the leaked data was the Customer Authentication System (CAS), and the leakage time was analyzed to be around June 2018.
The major confirmed violations include that until January of this year, the service operation infrastructure and security environment of the Customer Authentication System (CAS) were highly vulnerable to illegal intrusions by hackers. Most commercial software such as the CAS operating system (OS), database management system (DBMS), web server (WEB), and web application server (WAS) were either discontinued or no longer supported as of June 2018, when the leakage is presumed to have occurred.
Additionally, basic security equipment necessary to prevent illegal intrusions and security incidents, such as intrusion prevention systems (firewalls), intrusion prevention systems (IPS), and web firewalls, were either not installed or, even if installed, security policies were not properly applied, and some were no longer supported. In particular, malicious code (web shells) uploaded in 2009 and 2018 during the development phase of the Customer Authentication System (CAS) remained undeleted until January of this year, and inspections for web shells or IPS policies for detecting and blocking web shells were not applied.
Furthermore, actual operational data (including personal information) managed in the CAS operation environment was transferred to the development and testing environments for testing, and some data was left unattended, leaving over 10 million personal information records, including information created in 2008, remaining at the time of investigation.
Management control was also inadequate. Despite managing a large amount of personal information, access rights and access logs of personal information handlers were not properly managed, leaving no records of large-scale extraction and transmission of personal information, and no inspections or verifications of abnormal activities were conducted.
The Personal Information Protection Commission judged that LGU+, as a wired and wireless telecommunications operator handling personal information of many citizens, failed to strictly manage personal information, and due to overall poor management of the CAS system and significantly insufficient investment and efforts in information protection and security compared to other companies, this personal information leakage incident occurred.
Additionally, the Personal Information Protection Commission issued corrective orders to LGU+, which has had violations of the Protection Act in the past three years, to strengthen the role and status of the Chief Privacy Officer (CPO), enhance the expertise of the personal information protection organization, reestablish the internal personal information management plan, conduct a comprehensive system inspection, and improve vulnerabilities.
Related Articles
The Three Major Telecom Companies Spent 202.7 Billion KRW on Security Last Year... 5% Increase from Previous Year
A representative of the Personal Information Protection Commission stated, "Although this measure is based on the leakage analyzed to have occurred in June 2018, the fine was imposed due to the overall poor management of the system that has continued until now and multiple legal violations. We expect this to serve as a turning point for businesses that hold and process large amounts of personal information to view the budget and manpower invested in personal information protection not as costs but as investments."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
