Personal Information Leaks Surge 46% Last Year... Fines Soar 2.7 Times
62% of Leakage Incidents Caused by Hacking: Malware and Vulnerability Exploits
Fines and Penalties Totaled KRW 167.7 Billion Last Year
Up KRW 108.3 Billion Year-on-Year Due to SK Telecom Fine
The number of personal information leakage reports filed last year increased by 46% compared to the previous year. Following several large-scale personal information leak incidents in 2025, such as at SK Telecom, the total amount of fines and penalties imposed surged 2.7 times year-on-year.
The Personal Information Protection Commission and the Korea Internet & Security Agency (KISA) announced on the 15th that they published the "2025 Personal Information Leakage Report Trends and Investigation & Disposition Cases," which analyzes last year's reported leaks and enforcement actions, and includes prevention measures by cause and major examples.
According to the report, a total of 447 personal information leakage reports were filed last year, representing an increase of approximately 45.6% compared to 307 cases in 2024. Among all causes of leakage, hacking accounted for the highest proportion at 62% (276 cases), followed by human error at 25% (110 cases), and system errors at 5% (24 cases).
Types of hacking incidents included: ▲Malware such as ransomware and web shells at 35% (96 cases), ▲Exploiting web vulnerabilities such as SQL injection and parameter tampering at 12% (32 cases), and ▲Abnormal access to administrator pages at 8% (23 cases). With the increase in external threats such as ransomware distribution and hacking of large corporations, leakages due to hacking surged from 171 cases in the previous year to 276 cases last year.
The scale of sanctions, including fines resulting from personal information leakage incidents, also grew significantly. In 2025, the Personal Information Protection Commission conducted 227 investigations and sanctions, imposing fines in 40 cases totaling KRW 167.7 billion and administrative penalties in 125 cases totaling KRW 587.2 million. Compared to the previous year, the combined amount of fines and penalties increased by 172% (KRW 108.3 billion), largely due to SK Telecom being fined approximately KRW 134.8 billion for a SIM information leakage incident.
Examining the locations where leakage incidents occurred, the public sector accounted for 77 cases: ▲Public institutions at 53% (41 cases), ▲Central government and constitutional agencies at 29% (22 cases), and ▲Local governments and schools at 9% each (7 cases each). In the private sector, there were 150 cases: ▲Small and medium-sized enterprises at 50% (75 cases), ▲Large corporations and mid-sized companies at 20% (30 cases), and ▲Non-profit organizations and others at 17% (25 cases).
Of the 227 total sanctions, 115 cases (with fines totaling KRW 158.3 billion) were directly related to personal information leakage investigations and sanctions. The detailed causes of leakage were human error at 46% (53 cases), hacking at 45% (52 cases), and system errors at 7% (8 cases). By cause, hacking accounted for the largest amount of fines, totaling KRW 144 billion (91%).
The Personal Information Protection Commission emphasized that, in order to prevent personal information leakage via ransomware, it is necessary to apply security updates to operating systems and security equipment, conduct regular simulated phishing email drills, and strengthen access controls. Public institutions were advised to designate dedicated personnel for personal information protection to enhance practical expertise, while private companies were instructed to bolster their management and response systems by strengthening oversight of entrusted companies under the leadership of the Chief Privacy Officer (CPO).
A representative of the Personal Information Protection Commission stated, "We will strictly sanction repeated large-scale leakage incidents, while also supporting enhanced accident prevention measures such as encouraging voluntary investment in protection and establishing risk-based management systems for both public and private institutions, to ensure a higher level of effective protection."
Meanwhile, starting from September 11, punitive fines of up to 10% of total sales will be imposed in cases of large-scale personal information leaks caused by a company's intent or gross negligence. The Personal Information Protection Commission emphasized that, with penalties being significantly strengthened, securing proactive security budgets and investing in personnel are essential.
Hot Picks Today
"Stocks Are Not Taxed, but Annual Crypto Gains Over 2.5 Million Won to Be Taxed Next Year... Investors Push Back"
- Ahead of First Anniversary, Lee Says "No Magic Bullet... Must Achieve Tangible Results That Change People's Lives"
- "Who Is Visiting Japan These Days?" The Once-Crowded Tourist Spots Empty Out... What's Happening?
- "Am I Really in the Top 30%?" and "Worried About My Girlfriend in the Bottom 70%"... Buzz Over High Oil Price Relief Fund
- "It Has Now Crossed Borders": No Vaccine or Treatment as Bundibugyo Ebola Variant Spreads [Reading Science]
2025 Personal Information Leakage Report Trends. Personal Information Protection Commission
View original image© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
