On the 12th, the Personal Information Protection Commission announced that it imposed a penalty surcharge of 80 million won and fines of 6 million won on the global pharmaceutical company Merck for failing to fulfill its obligation to protect customer personal information, resulting in a data breach.
According to the Personal Information Protection Commission, Merck launched a new service to provide convenience for managing dosing records of pharmaceuticals it manufactures and sells; however, due to a system error, the personal information of up to 108 individuals was leaked. The investigation revealed that Merck neglected to check for security vulnerabilities before launching the new service, causing users accessing the service to be treated as the same individual, allowing the personal information of the first user to be viewed by another user who accessed later. It was also confirmed that Merck notified the leak 24 hours later without justifiable reasons after recognizing the data breach.
The Personal Information Protection Commission decided at its general meeting the previous day to impose penalty surcharges and fines on Merck and to announce this decision on the commission's website. In addition, the commission also decided to impose a penalty surcharge of 32.42 million won and fines of 8.4 million won on two companies, OnFlat, an online payment service provider that leaked member information due to negligence in preventing SQL (Structured Query Language) injection attacks, and DR Plus, an online second-hand car transaction brokerage service, and to publicize the results of these actions.
During the investigation into OnFlat, the CEO of the company recognized that DR Plus had also suffered the same hacking attack resulting in data leakage and initiated an investigation. The Personal Information Protection Commission advised that businesses handling personal information must thoroughly check for security vulnerabilities before launching new services and that continuous attention is needed for proper security measures to prevent widely known web vulnerability attacks like SQL injection.