The Personal Information Protection Commission (PIPC) held its seventh plenary meeting of 2025 and reached a decision to sanction Woori Card Co., Ltd. (Woori Card) for data breaches on March 26, 2025. Administrative sanctions by the PIPC are as follows:
- A penalty for violations (Gwajingguem) of KRW 13.45 billion;
- A publication order of sanction results on its website; and correction orders that include:
i) Stronger access control measures to prevent the misuse and abuse of personal information;
ii) Compliance with taking measures to ensure safety by appropriate access control and periodic overhauls; and
iii) Stronger management and supervision of employees handling personal information.The PIPC launched investigations into Woori Card after the company reported a data breach, and media outlets reported that it used merchants’ personal information for marketing purposes, such as soliciting purchases. The investigations showed that Woori Card took advantage of the personal information of its merchants to implement its marketing strategy for issuing new credit cards without obtaining consent. It was also found that employees working in one of the local branches provided the personal information to sales representatives. The following explains the company’s data processing practices and violations identified during the PIPC’s investigations.
Read more at South Korea’s Personal Information and Protection Commission.
Note: KRW 13.45 billion = USD $9,164,626.91