Neopharm Faces Fine of 105 Million KRW Over Leakage of More Than 290,000 Member Records
The Personal Information Protection Commission announced on the 24th that it will impose a fine of approximately 100 million KRW on Neopharm, which experienced a leak of personal information of 300,000 members.
The Commission held a plenary session the previous day and decided to impose a fine of 105.17 million KRW and a penalty of 7.2 million KRW on Neopharm for violating personal information protection regulations. It was also decided to publish this information on the Commission's website.
According to the investigation, a hacker who had previously obtained the administrator account information of the shopping mall operated by Neopharm accessed the web administrator page and stole the personal information of all 293,723 members. From August 5 last year, for two weeks, the hacker accessed Neopharm's shopping mall web administrator page about 750 times, viewed and downloaded member information, and sent approximately 440,000 illegal text messages.
Neopharm operated the web administrator page of the personal information processing system so that login was possible with only an ID and password without additional authentication methods. They also violated safety obligations by not restricting IP addresses that could access the web administrator page.
Neopharm did not assign accounts to personal information handlers individually but shared accounts by department, showing inadequate management of access rights. It was also found that notification of the personal information leak to affected users was delayed.
Additionally, the Commission imposed a fine of 18 million KRW and a penalty of 3.6 million KRW on Ilhak, which showed negligence in management resulting in the exposure of personal information of 10,000 people due to hacking.
Ilhak experienced a personal information breach due to a hacker's SQL injection (a programming language used for database queries) attack over two days starting December 17 last year. The hacker also posted the personal information of 10,000 people, obtained without authorization, on Ilhak's shopping mall bulletin board.
Ilhak, operating a fishing supplies shopping mall, was found to have not applied secure authentication methods when logging into the web administrator page. The intrusion detection and blocking system to prevent illegal external access was also poorly managed.
Hot Picks Today
"Stocks Are Not Taxed, but Annual Crypto Gains Over 2.5 Million Won to Be Taxed Next Year... Investors Push Back"
- "Not Jealous of Winning the Lottery"... Entire Village Stunned as 200 Million Won Jackpot of Wild Ginseng Cluster Discovered at Jirisan
- "Even With a 90 Million Won Salary and Bonuses, It Doesn’t Feel Like Much"... A Latecomer Rookie Who Beat 70 to 1 Odds [Scientists Are Disappearing] ③
- "Rather Than Endure a 1.5 Million KRW Stipend, I'd Rather Earn 500 Million in the U.S." Top Talent from SNU and KAIST Are Leaving [Scientists Are Disappearing] ①
- "How Did an Employee Who Loved Samsung End Up Like This?"... Past Video of Samsung Electronics Union Chairman Resurfaces
Furthermore, it was confirmed that Ilhak violated safety obligations such as the absence of user input validation procedures to prevent SQL injection attacks and failure to encrypt passwords. Along with the decision to impose fines and penalties, the Commission ordered the business operators to publish these facts on their websites.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
