Big breaches and small fines continue to expose Korean consumers

Despite repeated data breaches at major firms like LG U+ and Golfzon, experts say Korea’s light penalties and lack of accountability are fueling a cycle of weak cybersecurity and recurring leaks that put consumer data at risk.

LG U+ CEO Hwang Hyeon-sik bows in apology during a press conference at the company's headquarters in Yongsan District, central Seoul, after a data breach affecting approximately 300,000 customers on Feb. 16, 2023. [YONHAP]

In 2023, the personal information of 300,000 LG U+ customers was compromised in a data breach. The company got a 6.8 billion won ($4.79 million) fine. In 2018, Meta was fined $269 million for failing to protect the information of 29 million members.

The recent hacking of SK Telecom's SIM system is just the latest in a long history of personal data breaches involving major Korean corporations — and the responses to such incidents have followed a familiar pattern.

Some argue that Korea should learn from overseas cases, suggesting that the lenient penalties given to companies may be contributing to repeated breaches that put Korean consumers’ data at risk.

In 2023, LG U+ disclosed a data breach affecting approximately 300,000 customers. Information leaked included names, birth dates, phone numbers, home addresses, device models, email addresses and SIM details. Korea’s Personal Information Protection Commission (PIPC) imposed a fine of 6.8 billion won ($4.79 million) and an administrative penalty of 27 million won.

Golfzon, Korea’s leading screen golf company, suffered an even larger breach the same year, with ransomware attackers stealing the personal data of 2.21 million customers, including names, email addresses and phone numbers. The PIPC imposed a fine of 7.5 billion won and a 5.4 million won penalty.

Coupang experienced breaches in both 2021 and 2023, leaking the personal data of 150,000 delivery workers and customers using its food delivery service, Coupang Eats. The company was fined nearly 1.6 billion won and penalized 10.8 million won.

SK Telecom CEO Ryu Young-sang answers questions on the recent SKT hack at the National Assembly building in Yeouido, western Seoul, on May 8. [YONHAP]

Looking back to the 2010s, when data protection awareness was lower, the scale of such incidents was even greater. In 2011, SK Communications was hacked by perpetrators based in China, leading to the leak of personal data from 35 million users of its Nate and Cyworld platforms. The data included resident registration numbers, names, blood types and passwords.

Other major breaches include KT in 2012, when the data of 8.7 million users was leaked, again in 2014 with 12 million affected and Interpark in 2016, which saw the information of 10.3 million users compromised. However, before a 2023 revision to relevant laws, fines were capped at 3 percent of "revenue related to the violation" rather than three percent of the total corporate revenue — resulting in relatively low penalties.

Companies hit by breaches often offered similar explanations, such as “delays in identifying the breach” or blaming “third-party vendors.” Pledges to “strengthen cybersecurity” followed. But the PIPC’s standard recommendations, including to "prepare corrective measures to prevent recurrence, such as a comprehensive system inspection and improvement of vulnerable areas," have not prevented recurrence.

In contrast, punitive measures abroad are far more severe. In the United States, T-Mobile suffered a breach in 2021 that affected 76.6 million customers. The company faced a class-action lawsuit and agreed to a $350 million settlement, with individual payouts of up to $25,000.

A notice is put up at an SK Telecom direct store in Jung District, central Seoul, on May 12. [NEWS1]

In 2018, Meta, operator of Facebook and Instagram, was fined 380 billion won by Ireland’s Data Protection Commission for leaking data from 29 million users.

Stronger punishments alone may not be a cure-all. But in Korea, where class action lawsuits and punitive damages remain limited, the incentive for companies to prioritize data security remains weak.

“Even if the punishment for personal information leaks has been strengthened, it still does not provide companies with more than an indulgence in processing costs,” said Lim Jong-in, a distinguished professor of cybersecurity at Korea University’s Graduate School of Information Security.

“Authorities should increase pressure through pre-emptive inspections, regulatory oversight and holding executives accountable if vulnerabilities are detected in advance.”

Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff. BY KIM KI-HWAN, CHOI SUN-EUL, NA SANG-HYEON, NOH YU-RIM [lim.jeongwon@joongang.co.kr]