Penalties and Fines of 550 Million Won Imposed on Boram Sangjo for Personal Data Breach
Hacking Incident in Information System Outsourcing Affiliates
Nearly 28,000 Cases of Customer Names, Phone Numbers, and Emails Leaked
542.5 Million Won in Penalties and 11.4 Million Won in Administrative Fines Imposed
Boram Group affiliates, which experienced data breaches involving subscribers' names, phone numbers, and emails, have been fined a total of approximately 550 million won in penalties and administrative fines.
The Personal Information Protection Commission announced on the 14th that it held its 9th plenary session the previous day, during which it imposed a total of 542.5 million won in penalties and 11.4 million won in administrative fines on seven Boram Group affiliates, including Boram Sangjo Development, for violating the Personal Information Protection Act. The commission also resolved to order corrective measures and public disclosure.
Personal Information Protection Commission logo. Personal Information Protection Commission
View original imageThe Boram Group affiliates subject to the penalties and fines include Boram Sangjo Development, Boram Sangjo Leaders, Boram Sangjo Life, Boram Sangjo People, Boram Sangjo Anycall, Boram Sangjo Siloam, and Boram Sangjo Plus. The commission imposed a penalty of 531 million won on Boram Sangjo Development for violating security measures, and an administrative fine of 11.4 million won for delayed notification of the data breach and failure to destroy personal information. The affiliates were fined a total of 11.5 million won for failing to supervise their data processors, and were ordered to disclose the details of the penalties on their websites. Additionally, a corrective order was issued requiring group-wide inspections and improvements in personal data handling, restructuring of decision-making systems, and measures to ensure transparency in consignment relationships.
The commission received a report of a personal data breach from Boram Sangjo Development on May 28, 2024, and launched an investigation. The probe confirmed violations of security obligations and a lack of proper oversight over data processors.
Boram Sangjo Development had been entrusted with customer relationship management (CRM) work, such as handling online customer inquiries, from six group affiliates, operating a database (DB) that managed personal information collected via their websites. According to the commission's investigation, Boram Sangjo Development neglected to implement adequate security measures for its personal data management system. The six affiliates, as the entities outsourcing personal data processing, also failed to sufficiently supervise Boram Sangjo Development to ensure the safe management of information.
A hacker exploited vulnerabilities on the website to carry out a SQL injection attack, infiltrating Boram Sangjo Development's database and stealing customer personal data such as names, mobile phone numbers, and emails. SQL injection is a hacking technique that leverages security flaws in web applications by inputting SQL statements to manipulate the database or steal information. SQL is used to retrieve data stored in the database.
The total number of leaked personal data entries reached 27,882. The leak involved the IDs, passwords, names, mobile phone numbers, dates of birth, gender, and emails of 976 current website members and 12,950 former (alumni) website members, as well as the names, mobile phone numbers, and emails of 13,927 online inquiry members.
It was also confirmed that Boram Sangjo Development notified data subjects of the breach after the legal deadline and continued to retain personal information past the legally required retention period without destroying it.
A commission official stated, "This action is significant in that it warns of potential security blind spots in complex personal data processing environments involving multiple affiliated companies. It also clarifies that when personal data is processed collectively through consignment, ensuring transparency in processing systems is critical, and the consignor bears the responsibility to manage and supervise the data processor's handling of personal data and protective measures."
Hot Picks Today
!["Rather Than Endure a 1.5 Million KRW Stipend, I'd Rather Earn 500 Million in the U.S." Top Talent from SNU and KAIST Are Leaving [Scientists Are Disappearing] ①](https://cwcontent.asiae.co.kr/asiaresize/93/2026051914165468840_1779167814.png)
"Rather Than Endure a 1.5 Million KRW Stipend, I'd Rather Earn 500 Million in the U.S." Top Talent from SNU and KAIST Are Leaving [Scientists Are Disappearing] ①
- "No Cure Available, Spread Accelerates... Already 105 Dead, American Infected"
- Brilliant Korean Technology Flows Overseas... Subsidies Granted, but "No Product Launch Allowed"
- Singer Kim Minjong Responds to MC Mong's Gambling Allegations: "Clearly False... Legal Action to Follow"
- Instead of a National Assembly Profile, Now a 'Carpenter'... Ryu Hojung Says "I Couldn't Do a Body Profile Shoot Twice"
Meanwhile, since January, the commission has been conducting a preliminary inspection across the entire funeral service sector to review personal data processing practices and improve related procedures.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![Cheaper Than Candy, Yet Impossible to Find... Fears of a 'Pediatric Medical Crisis' as Pharmaceutical Companies Halt Production [Why&Next]](https://cwcontent.asiae.co.kr/asiaresize/307/2026051910065268365_1779152813.jpg)
