Modetour Network, which neglected safety measures for personal data protection, has been fined a penalty surcharge of approximately 740 million won due to the leakage of personal information of over 3.06 million individuals.
The Personal Information Protection Commission noted on the 13th that it had voted the previous day in a plenary meeting to impose a penalty surcharge and recommend improvements to the personal information protection management system for Modetour Network, which operates the travel brokerage service Modetour.
According to the investigation by the Personal Information Protection Commission, an unidentified hacker exploited a file upload vulnerability on the webpage operated by Modetour Network in June last year to upload multiple 'web shell files.'
The hacker then executed malware embedded in those files, stealing the personal information of over 3.06 million members and non-members from the customer information databases. This included customers' Korean and English names, birthdates, genders, and mobile phone numbers.
According to the Personal Information Protection Commission, Modetour Network neglected to verify file extensions and restrict execution permissions for uploaded files to prevent the hacker's web shell attack.
It was also revealed that the measures taken to detect and respond to attempted personal information breaches were inadequate. Furthermore, it failed to destroy the personal information of over 3.16 million non-members (including duplicates) collected since March 2013, even after the retention period had expired.
Additionally, it was discovered that, although it recognized the fact of the personal information breach in July last year, it did not notify this until two months later without a justifiable reason. Under the Personal Information Protection Act, all personal information handlers must report any breaches to the Personal Information Protection Commission within 72 hours of becoming aware of them.
The Personal Information Protection Commission has imposed a penalty surcharge of 747 million won and fines of 1.2 million won on Modetour Network, ordering it to publicly disclose the penalty on its business website.
Along with this, it demanded that improvements be made to the internal personal information protection management system to prevent the recurrence of delayed breach notification actions in the future.
The Personal Information Protection Commission urged that, 'The risk of personal information theft should be detected and blocked in advance, and it is necessary to establish a system to immediately notify individuals upon recognition of a personal information breach to prevent secondary damage to the information subjects.'