The Personal Information Protection Commission (hereinafter referred to as the “Commission”), chaired by Hak-Soo Ko, held its 20th plenary meeting on September 10 and decided to impose a total of 81.01 million Korean Won in fines and 7.2 million Korean Won in penalties on Moncler Korea (hereinafter referred to as “Moncler”) for violating personal information protection regulations, and to announce the results of the disposition.
The specific violations and disposition results for Moncler are as follows:
Moncler recognized that approximately 230,000 personal data were leaked due to a hacking incident in December 2021, and reported the leak to the Commission on January 22, 2022, after recognizing the issue on January 17, 2022.
The leaked personal information included names, birthdates, email addresses, card numbers, delivery methods, shopping characteristics, body sizes, and purchase information.
The hacker acquired an employee account with administrative privileges in advance and used those privileges to distribute malicious software on the domain controller server (a security policy management server for authentication and authorization), leaking personal information and encrypting existing data.
The Commission’s investigation revealed that Moncler had been operating its website since June 2019, during which time it should have applied secure authentication methods other than just an ID and password when handling personal data through the information and communication network, which they neglected.
Additionally, even though Moncler became aware of the data leak, it delayed notifying the users and reporting the breach for more than 24 hours without justified reason. Moncler notified the users on January 20, 2022, and reported it on January 22, 2022. At the time, the Personal Information Protection Act, before its amendment, required that data leaks be reported and notified within 24 hours. As of September 2023, the amended act requires personal information processors to report and notify data leaks within 72 hours.
As a result, the Commission imposed fines and penalties on Moncler and decided to announce the fact of the disposition on the Commission’s website. The Commission advised that personal information handlers, when accessing the personal information processing system via the information and communication network, should use secure authentication methods like a one-time password (OTP) in addition to an ID and password.