Press Release
July 12, 2023
(This is an unofficial translation of a press release, originally prepared in Korean.)
On July 12, the Personal Information Protection Commission (PIPC) held a plenary meeting and reached a decision to impose an administrative penalty of KRW 6.8 billion (USD 5.3 million) and an administrative fine of KRW 27 million won (USD 21,000) against telecommunications service provider LG Uplus Corp. (“LG U+”) for violations of Korea’s data privacy law that included leakage of personal data. It also issued corrective orders to prevent recurrence, including implementation of system-wide inspections and improvements aimed at reducing vulnerabilities.
It was reported in January 2023 that LG U+ had been hit by a hacking attack when the personal data of approximately 600,000 (about 300,000 when duplicates are removed) current and former customers were exposed on illegal online marketplace. The PIPC has since been conducting an in-depth investigation.
Upon analysis of the exposed data, the PIPC found that a total of 297,117 individuals had their personal data leaked in the incident. Twenty-six types of data had been stolen, including mobile phone numbers, names, addresses, birth dates, email addresses, IDs, and Universal SIM numbers. Among a multiple of systems LG U+ had in place, the Compound Authorization System (“CAS”) was found to be the one storing the sets of data that most closely matched those exposed on the dark web. The LG U+ CAS is mainly used to verify the identity of customers when they add or cancel add-on services, such as a “child protection” service. It was found that the breach took place in or around June of 2018.
The following explains major violations found as a result of the investigation on the telecommunications company’s failure to comply with the Personal Information Protection Act (PIPA).
1. Vulnerability in security infrastructure, particularly in the CAS
It was found that the service operation infrastructure and security environment around the CAS were highly vulnerable to intrusion by hackers at the time of the incident, and remained largely unchanged until when the investigation began in January this year.
Specifically, as of June 2018, most of the commercial software installed within the CAS was discontinued, or technical support for the software was terminated. These include the operating system (OS), database management system (DBMS), web server and web application server (WAS) of the CAS.
The security infrastructure required to prevent attacks, such as firewall, intrusion prevention system (IPS) and web firewall, was not adequately installed, or even when installed, corresponding security policy was not properly applied to, with some of them no longer receiving technical support at all.
In particular, pieces of malicious code called web shells that were uploaded to the CAS through its development tool in 2009 and 2018 remained undeleted until the investigation began in 2023. This revealed the failure of the system to detect web shells as well as to apply the appropriate detection and blocking policies of the IPS.
2. Failure to remove personal data after use for testing purposes
The actual operational data, including personal data, managed by the operation tool of the CAS was transferred to the development and quality validation tools for the purpose of conducting tests, but some of these data were left behind after the testing and validation. As a result, the personal data of over 10 million individuals, including those generated in 2008, remained unattended until the time of the investigation in 2023.
3. Poor data control and management practices
While dealing with a vast amount of personal data, LG U+ failed to put in place proper data control and management schemes, leaving the system vulnerable to attacks. For example, the access permissions granted to those handling personal data within the company and their access logs were not properly controlled or managed. The lack of control allowed abnormal behavior to go unnoticed, including the large-volume extraction and transmission of personal data.
The PIPC explained that LG U+ was being fined for its failure to comply with the PIPA, based on the findings of the months-long investigation. In addition to the financial penalty, corrective orders were issued on the following:
● Reinforcing the roles and responsibilities of the Chief Privacy Officer (CPO);
● Scaling up and enhancing the capabilities of the internal team designated for data protection matters;
● Reshaping the corporate strategy and plan for effective management of personal data; and
● Improving overall system dealing with personal data to reduce vulnerable areas.
As a major telecommunications company providing both wired and wireless services, LG U+ is responsible for processing a large amount of personal data of citizens. As such, the company is expected to have stringent data privacy practices in place. However, the results of the investigation indicated that the company’s overall management of the CAS did not meet the requirements for safeguarding personal data, and that it has made insufficient investment to ensure data protection and security, ultimately contributing to the incident of a massive data breach.
The PIPC expressed hope that today’s decision will serve as a turning point for businesses that typically hold and process large volumes of personal data to recognize the need to invest sufficient amount of budget and manpower for data protection. The PIPC added that this measure will provide an opportunity for businesses to reconsider the crucial role of the Chief Privacy Officer (CPO) and the relevant organization in running their business
* A PDF version of this article is attached below.
Attachment[press release] LG Uplus sanctioned for data breach including personal information.pdf
Source: PIPC (KR)