Black Yak, a corporation that sells mountaineering equipment, was hacked and had 340,000 customer personal information records leaked, resulting in a penalty surcharge of 1.3 billion won.
The Personal Information Protection Commission held a general meeting on the 9th and imposed a penalty surcharge of 1.391 billion won on BYN Black Yak Co., Ltd. (Black Yak) for violating the Personal Information Protection Act, and ordered the company to disclose this on its website on the 10th.
Previously, from March 1 to 4, Black Yak's website was subjected to a SQL injection attack by hackers, leading to the theft of administrator account information (ID and password). Afterward, the hackers logged into the administrator page using the stolen account information and accessed personal information of 342,253 users, including names, genders, birth dates, mobile phone numbers, and partial addresses.
A SQL injection attack refers to entering 'SQL code' into the input fields of websites such as search, login, and bulletin boards to execute specific commands. Through this process, attackers can bypass logins and steal data.
According to the investigation by the Personal Information Protection Commission, Black Yak has neglected to check and address the vulnerabilities related to SQL injection attacks since it established its website in October 2021. In addition, it operated in a manner that allowed external access to the administrator page due to remote work and did not implement secure authentication methods beyond ID and password.
The Personal Information Protection Commission emphasized, 'As digital transformation accelerates and remote work increases, cases allowing external access have significantly risen.' It added that 'the application of secure additional authentication methods beyond ID and password is more important than ever to verify whether a user has the appropriate authorization.'
The Personal Information Protection Commission also imposed a penalty surcharge of 23 million won and fines of 2.7 million won on Korea Topic Education Center, an online educational content company, which suffered a similar SQL injection hacking attack and leaked personal information of 84,085 users. It also ordered public disclosure of the disposition details.
This company was negligent in checking and addressing security vulnerabilities and reportedly notified the leak of information only after 72 hours without a valid reason, despite knowing about it.