This site is the official e-Government website of the Republic of Korea.
Notice / Press Release
| Title | The PIPC Sanctions Woori Card for Data Breaches, Imposing KRW 13.45 billion | ||
|---|---|---|---|
| Department | Date | 2025.03.28 | |
| Attachment | press release The PIPC Sanctions Woori Card for Data Breaches, Imposing KRW 13.45 billion.pdf | ||
| Page URL | https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2794 | ||
| Contents |
Press Release The PIPC Sanctions Woori Card for Data Breaches, Imposing KRW 13.45 billion - Correction orders to put stronger access control and safeguarding measures in place, conduct compliance training for employees, and ensure stronger supervision
March 26, 2025 (This is an unofficial translation of a press release, originally prepared in Korean.)
The Personal Information Protection Commission (PIPC) held its seventh plenary meeting of 2025 and reached a decision to sanction Woori Card Co., Ltd. (Woori Card) for data breaches on March 26, 2025. Administrative sanctions by the PIPC are as follows:
The PIPC launched investigations into Woori Card after the company reported a data
breach, and media outlets reported that it used merchants' personal information for
marketing purposes, such as soliciting purchases. The investigations showed that Woori
Card took advantage of the personal information of its merchants to implement its
marketing strategy for issuing new credit cards without obtaining consent. It was also found
that employees working in one of the local branches provided the personal information to
sales representatives. The following explains the company’s data processing practices and
violations identified during the PIPC's investigations. 1. Woori Card’s Data Processing Practice
To significantly grow its sales revenues, the Woori Card Incheon sales branch entered merchants' business registration numbers into the merchant management program to gain access to each merchant's personal information, including phone numbers, resident registration numbers (RRNs), and addresses, from July 2022 to April 2024. The branch used the personal information to attract merchants to issue new credit cards, and the number of affected merchants amounts to at least 131,862.
Entering the RRNs of merchants into a card-issuing review program, the employees working at the local sales branch were able to check whether the merchants held credit cards issued by Woori Card. They wrote down this information on each merchant information document, took a picture of them, and shared them in the chat room of sales representatives.
From September 2023, in particular, employees used commands to view the credit card holding status in the database, which processes the personal information of merchants and customers, and generated files. They sent the personal information of 75,676 merchants through email from January 8 to April 2, 2024. During this timeframe, they sent the personal information 100 times, more than twice a day.
Woori Card's employees handed over the personal information of 207,538 merchants to sales representatives for marketing purposes. However, 74,692 merchants did not give consent to providing their personal information other than initial purposes.
2. Violations
The PIPA stipulates that personal data processors should not use personal information beyond the intended purposes of collection and use; however, Woori Card used the personal information collected for merchant management purposes for its marketing purposes. This data processing practice violates Article 18(1) of the PIPA, which sets out that the use of personal information should be in line with purpose limitation. In addition, the company's processing of RRNs also failed to comply with the PIPA pursuant to Article 24(2)- 1 regarding the limitations on processing RRNs.
Woori Card has entrusted access authorization of personal information, including access to databases and download files, to each sales branch, technically serving as its internal division. The company was supposed to monitor and supervise each branch's data processing practices, including examining the status of restricting access to authorized users, overhauling access logs, and others. However, Woori Card was complacent in doing so, leading to a massive amount of data breaches.
Woori Card failed to implement role-based access control (RBAC), allowing employees working at the sales branch to access databases containing personal information of merchants and customers excessively. To make matters worse, the company failed to examine and take measures against the sales branch's data processing practice, even when the number of views and downloads of personal information reached 30 million per month on average.
In this regard, the PIPC sanctioned Woori Card for using and providing personal information of its merchants that was not compatible with the initial purposes, imposing a penalty of KRW 13.45 billion for the violations. In addition, the supervisory authority issued a correction order to implement stronger access control measures, prevent the misuse and abuse of personal information, and ensure compliance with safeguarding measures, including minimizing access authority and conducting regular overhauls. The order also aims to strengthen management and supervision of those who handle personal information. The PIPC also issued an order to publish sanction results on its website.
3. Key Takeaways
The PIPC reiterates that personal data processing beyond the initial purposes constitutes a breach of the PIPA and urges personal data processors to periodically review their data processing practices, such as the current status of access authorization for employees and those who handle personal information.
Meanwhile, the PIPC sanctioned general insurance companies for not complying with the PIPA, emphasizing that personal data processing in the financial services sector may fall under the purview of the PIPA. In this context, the financial services sector should review its current status to ensure compliance with the PIPA.
* A PDF file, formatted for better readability, is attached.
|
||