Hello. This is lawyer Shin Jun-seon from the law firm Cheongchul.
Recently, as incidents of personal information leakage have been continuously occurring, there is a growing interest in compliance with personal information protection obligations among companies. In particular, as the Personal Information Protection Commission (hereafter referred to as 'PIPC') has strengthened sanctions against violating businesses, articles reporting that companies have been fined hundreds of millions due to leakage of personal information can be frequently found. Accordingly, companies that handle personal information need to closely examine their compliance with personal information protection regulations.
In this article, we will analyze recent cases of personal information leakage and the levels of penalties, and look at the legal response measures that companies should be aware of.
[Question] What is the level of fines for personal data breaches?
[Answer]
1. Key Legal Obligations under the Personal Information Protection Act
According to the Personal Information Protection Act, data handlers have obligations including ▲ the obligation to destroy personal information (Article 21) ▲ restrictions on processing resident registration numbers and obligations for encryption (Article 24-2, Clause 1 and Clause 2) ▲ the obligation to take appropriate safety measures to protect personal information (Article 29) ▲ the obligation to notify data subjects without delay in the event of a data breach (Article 34 Clause 1) ▲ the obligation to prepare measures to minimize the damage from leakage (Article 34 Clause 2) ▲ the obligation to report to PIPC or professional organizations (Article 34 Clause 3). In the case of violations of these obligations, fines (Article 64-2) and administrative penalties (Article 75) may be imposed.
The details of the key legal obligations are as follows.
(1) Obligation to encrypt resident registration numbers (Article 24-2 Clause 2, Enforcement Decree Article 21-2)
Data handlers must securely store resident registration numbers through encryption measures (refer to the details of the PIPC notification [Standards for Ensuring the Safety of Personal Information]).
(2) Obligation for safety measures (Article 29, Enforcement Decree Article 30)
Data handlers must take technical, administrative, and physical measures necessary to ensure safety, such as establishing internal management plans and keeping access logs, to prevent personal information from being lost, stolen, leaked, forged, altered, or damaged.
(3) Obligation to notify data subjects (Article 34 Clause 1)
If data handlers become aware that personal information has been leaked, they must notify the data subjects without delay of the following matters in accordance with Article 34 Clause 1 of the Personal Information Protection Act.
Items of leaked personal information
The timing and circumstances of the leak
Ways to minimize damage
Response measures and damage relief procedures
Department in charge of receiving reports and contact information
(4) Obligation to report to PIPC (Article 34 Clause 3, Enforcement Decree Article 40)
In the following cases, reports must be made to PIPC or the Korea Internet and Security Agency within 72 hours.
If personal information of over 1,000 data subjects has been leaked
If sensitive information or unique identification information has been leaked
If personal information has been leaked due to illegal access from outside
2. Recent cases of personal data leakage and the level of fines and penalties
Analyzing recent cases of sanctions against personal data leakage by the PIPC, it appears that the level of punishment for personal data breaches is gradually being strengthened, and that the level of punishment differs based on the degree of violation and the scale of the leak.
Extent of Leakage | Level of Fines and Penalties | Considered Factors | Applicable Legal Provisions | |
Modoo Tour Network (March 2025) | Approximately 3.06 million members and non-members | Fine of 740 million won Penalty of 10.2 million won | - Large-scale leak (3.06 million people) - 3.16 million cases of personal information not destroyed - Delayed notification after awareness of the leak (2 months) (Legal obligation deadline is 72 hours) | Article 29 Article 21 Clause 1 Article 34 Clause 1 |
Business On Communication (February 2025) | Member information About 180,000 cases | Fine of 137 million won Penalty of 2.7 million won | - Inadequate defenses against hacking Violation of basic safety measures - Delayed notification after awareness of the leak | Article 29 Article 34 Clause 3 |
NHN WeToo (February 2025) | Seller and Customer personal information 530,000 cases | Fine of 61.1 million won Penalty of 9.6 million won | - Inadequate security measures for the old DB during system reorganization | Article 29 Article 21 Clause 1 Article 24-2 Clause 1 |
KT Alpha (April 2025) | 51 people (90,000 accounts hacked successfully) | Fine of 4.91 million won Penalty of 6.9 million won | - Inadequate detection and blocking system for credential stuffing attacks - Delayed notification after awareness of the leak Masking of personal information minimized the actual scale of the leak (mitigating factor) | Article 29 Article 34 Clause 1 |
ClassU (April 2025) | About 1.6 million users | Fine of 53.6 million won Penalty of 7.2 million won | - Inadequate basic measures such as access restrictions - Delayed notification after awareness of the leak Fine reduction | Article 29 Article 21 Article 24-2 Clause 2 Article 34 Clause 1 |
3. Factors determining the level of fines through case studies
The PIPC considers the following factors when imposing fines due to personal information leakage (Article 64-2 Clause 1 Item 9) (Article 64-2 Clause 4).
(1) The nature and severity of the violation (Article 64-2 Clause 4 Item 1)
The more serious the violation of safety obligations under the Personal Information Protection Act, the higher the punishment level. In the cases of Modoo Tour Network and Business On Communication, large-scale leaks of personal information occurred due to inadequate checks of basic security vulnerabilities.
(2) The scale and sensitivity of the leaked personal information (Article 64-2 Clause 4 Items 1, 5, 8, 9, etc.)
The higher the quantity of leaked personal information and the more sensitive information, such as resident registration numbers, the higher the level of punishment. In the case of Modoo Tour Network, more than 3 million personal information records were leaked, resulting in high fines.
(3) Adequacy of post-leak response (Article 64-2 Clause 4 Item 6)
Timeliness and compliance with notification and reporting obligations upon awareness of the leak are also crucial factors. It is believed that the fact that Modoo Tour Network notified the leak two months later served as an additional sanction factor.
(4) Efforts in implementing safety measures (Article 64-2 Clause 4 Item 4)
In the case of KT Alpha, preemptive measures such as masking personal information on the webpage were taken into account as the actual scale of personal information leakage was limited, resulting in relatively lower fines.
(5) Application of exemption from fines (Article 64-2 Clause 5) and reduction factors (Article 64-2 Clause 6)
The PIPC may not impose fines if the violator has legitimate reasons to believe their actions are not illegal or if the content and degree of the violation are minor. Additionally, in the ClassU case, fines were reduced taking into account the violator's financial situation and realistic burden capacity. This measure for reduction is based on the PIPC notification [Standards for imposing fines for violations of the Personal Information Protection Act] Article 11.
(6) Administrative penalty regulations (Article 75, Enforcement Decree Article 63, Appendix 2)
The PIPC can impose administrative penalties for violations of the Personal Information Protection Act, such as lag in reporting to data subjects and reporting to institutions in the event of data leaks (violation of resident registration processing and encryption, etc.), but cannot impose penalties for actions that have already been fined (Article 76).
4. Companies' response measures
To effectively respond to personal information leakage incidents, the following preparations and actions are necessary.
(1) Strengthening safety measures for preventive purposes (Article 29, Enforcement Decree Article 30)
Regular vulnerability checks: Conduct regular checks for web vulnerabilities (SQL injection, credential stuffing, etc.)
Strengthening access control: IP restrictions and enhanced authentication to allow only authorized access to personal data processing systems
Encryption measures: Important information such as resident registration numbers and account numbers must be encrypted for storage
Destruction of unnecessary personal information (Article 21): Personal information that has exceeded its retention period must be destroyed without delay
(2) Establishing a response system for leakage incidents
Building a leakage detection system: Establish a monitoring system that can detect abnormal access attempts, bulk queries, and other abnormal signs
Preparing response manuals: Establish a response system including notification and reporting procedures and designating responsible persons when leakage incidents occur
Familiarity with reporting procedures within 72 hours (Article 34 Clause 3, Enforcement Decree Article 40): Establish internal procedures to report to PIPC or the Korea Internet and Security Agency within 72 hours from the awareness of personal information leakage
(3) Preparing for PIPC investigations
Preserving records: Preserve relevant materials including logs and access records related to personal information processing
Legal expert consultation: Secure expert consultation for legal responses during PIPC investigations
Preparing for fine reduction factors (Article 64-2 Clause 5): Prepare factors for fine reduction such as measures to prevent damage from spreading, measures to prevent recurrence, and evidence of the company’s financial situation or market conditions during economic crises
5. Conclusion
Summing up recent cases of sanctions by the PIPC, obligations to implement safety measures and delays in breach notifications are commonly confirmed. Fines can be imposed up to 3% of total sales (Article 64-2 Clause 1), posing significant burdens on companies. Therefore, companies must prevent personal data leakage incidents in advance, and if leakage occurs, assess the actual scale of leakage and re-evaluate the status of their personal information protection systems, actively clarifying this to the PIPC to minimize the level of punishment.
Personal information leakage incidents lead to various negative impacts such as damage to corporate image, decreased consumer trust, and economic losses including fines. Therefore, it is crucial to thoroughly check compliance with personal information protection regulations regularly, and when an investigation by the PIPC has begun, to respond systematically with the assistance of legal experts while actively cooperating.
The Law Firm Cheongchul has extensive experience in various disputes related to personal information protection laws and responses to PIPC and provides practical advice on managing legal risks related to corporate responses to personal information leakage incidents. If you need legal consultation, please feel free to contact us.
Related work cases that are good to see together
