User Personal Information Leak: 3.6 Million KRW Fine Imposed on ChatGPT
Personal Information Protection Commission Confirms Data Breach of Korean Users
Fine of 3.6 Million KRW Imposed for Reporting Obligation Violation
"Difficult to See as Negligence in Protective Measures"
ChatGPT, which leaked users' personal information, has been fined.
The Personal Information Protection Commission announced on the 27th that it imposed a fine of 3.6 million KRW on OpenAI for violating reporting obligations and issued a recommendation for improvement.
The Commission initiated an investigation ex officio in March following OpenAI's own notice of a personal information leak in the ChatGPT service and related domestic and international media reports.
The investigation revealed that between 5 PM on March 20 and 2 AM on March 21, some users worldwide who accessed ChatGPT Plus had their names, emails, billing addresses, the last four digits of credit card numbers, and expiration dates exposed to other users. Among them, 687 Korean users were included.
The cause of the leak was an unknown bug in the open-source-based cache (temporary storage) solution implemented to increase service speed. After detailed analysis through technical expert review meetings, it was concluded that OpenAI did not neglect generally expected protective measures, so it was not penalized for violating safety obligations.
Bug-related notice posted by OpenAI on its homepage last March. (Photo by OpenAI homepage capture)
View original imageHowever, the Commission imposed a fine for violating the reporting obligation by failing to report within 24 hours of recognizing the leak and recommended that OpenAI conduct a self-inspection of its personal information processing system and establish measures to prevent recurrence.
Additionally, upon reviewing the privacy policy and actual registration procedures, it was confirmed that the privacy policy was provided only in English. There was no separate consent procedure (assumed to be substituted by registration), and deficiencies were found in compliance with protection laws, such as unclear consignment relationships, specific destruction procedures and methods, and the lack of a clear domestic representative.
There was also an issue with restricting registration for those under 13 years old, which somewhat conflicts with the domestic protection law's legal guardian consent age standard of under 14 years old.
However, OpenAI explained that it is a new global service provider and officially submitted opinions on compliance with domestic protection laws in cooperation with the Commission in line with the revised protection law enforcement (September 15). The Commission recommended improvements and will continuously monitor and verify compliance.
Hot Picks Today
"Buy on Black Monday"... Japan's Nomura Forecasts 590,000 for Samsung, 4 Million for SK hynix
- "Plunged During the War, Now Surging Again"... The Real Reason Behind the 6% One-Day Silver Market Rally [Weekend Money]
- Lee Administration Faces Labor Policy Test Ahead of Samsung Strike... CLRC: "Labor-Management Post-Mediation Starts Today"
- "Samsung and Hynix Were Once for the Underachievers"... Hyundai Motor Employee's Lament
- "That? It's Already Stashed" Nightlife Scene Crosses the Line [ChwiYak Nation] ③
The Personal Information Protection Commission plans to conduct preliminary inspections targeting major domestic and international AI services, including ChatGPT, to minimize personal information infringement factors.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
