Skip to menu Skip to content

Korean e-government homepage mark This site is the official e-Government website of the Republic of Korea.

zoom
100%

Notice / Press Release

Notice Detail
Title The PIPC Sanctions Three Businesses for Failures to Implement Safeguards Required under the PIPA
Department Date 2026.07.15
Attachment press release The PIPC Sanctions Three Businesses for Failures to Implement Safeguards Required under the PIPA.pdf
Page URL https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=3112
Contents

Press Release

The PIPC Sanctions Three Businesses for Failures to Implement Safeguards Required under the PIPA

- The PIPC urges data controllers to take measures to configure IP access control lists for personal information processing systems, and overhaul authentication methods to ensure security

 

July 9, 2026

(This is an unofficial translation of a press release, originally prepared in Korean.)

 

The Personal Information Protection Commission (PIPC) held its 13th plenary session on July 8, 2026, and resolved to impose sanctions on three businesses for failing to implement adequate safeguards required under the Personal Information Protection Act (PIPA). The PIPC imposed administrative fines totaling KRW 706.4 million on three businesses and issued publication orders on them to publicly disclose the sanction results on their respective websites.

 

The three businesses are as follows:

 

● LOCK&LOCK CO., LTD. (LocknLock): A household goods company

● Ubase, Inc. (Ubase): An outsourcing service company that operates a call center for businesses 

● SUN-PHOTO CORPORATION (SUN-PHOTO): A company that sells cameras and video cameras

 

The three companies failed to put adequate safeguards in place, such as access controls for personal information processing systems, leading to data breaches. The following explains the PIPC’s investigation results.

 

1. LocknLock: Issued KRW 508.4 million in fines and a publication order 

 

In April 2024, unknown hackers gained unauthorized access to LocknLock’s internal systems using security vulnerabilities of its email server. The hacker exploited such security vulnerabilities and exfiltrated the membership database from May 29, 2024, to May 30, 2024. Again, the hacker accessed its internal system and exfiltrated business between November 22, 2025, and November 26, 2024.

 

The data breaches affected 1,111 cases of personal information of approximately 1.3 million people, including:

 

● Customer information, including names, phone numbers, addresses, etc. 

● Staff information, including resident registration numbers, driver’s license information, bank account copies, etc. 

 

The PIPC’s investigation found that LocknLock failed to detect and respond to anomalies in traffic generated during the data breaches. The company became aware of the incidents only after receiving a blackmail threat from the hacker.

 

Moreover, LocknLock failed to implement adequate safeguards, including:

 

● Failures to update security patches distributed in 2022 

● Using the same passwords for server administrators' accounts 

● Failures to encrypt uniquely identifiable information (UII) 

● Failures to destruct staff’s personal information and customer information associated with closed stores totaling 49,466 cases

 

Accordingly, the PIPC imposed KRW 5.84 million in administrative fines on LocknLock for failures to comply with the Personal Information Protection Act (PIPA). The PIPC also issued a publication order to the company to post the sanction results on its website.

 

 

2. Ubase: Issued KRW 168 million in fines and a publication order

 

A hacker accessed Ubase’s website administrator account and exfiltrated personal information of 1,852 users, and posted the data on Telegram in April 2024. The affected data includes names, phone numbers, email addresses, and company names.

 

The PIPC’s investigation showed that Ubase failed to implement appropriate access controls, including failures to configure IP access control lists (ACLs), allowing access to its administrative account from outside the organization. At the same time, Ubase also operated its website to be accessed by simple login credentials (ID, passwords), without implementing stronger authentication methods. It also failed to properly retain and manage access logs for its personal information processing system.

 

As a result, the PIPC imposed KRW 168 million in administrative fines and issued a publication order on Ubase to disclose the sanction results on its website. 

 

 

3. SUN-PHOTO: Issued KRW 30 million in fines and a publication order

 

A hacker gained access to SUN-PHOTO’s website administrator account and exfiltrated the personal information of about 170,000 members, including names, user IDs, phone numbers, gender information, etc., as well as 13 customer order records. The hacker also attempted a voice phishing scam targeting one of the users by impersonating a SUN-PHOTO employee.

 

According to the PIPC’s investigation, SUN-PHOTO failed to restrict administrator access by configuring IP ACLs. It also did not meet the safeguarding requirements under the PIPA, including failures to retain and manage access logs of its personal information processing system.

 

Accordingly, the PIPC imposed KRW 30 million in fines and issued a publication order on SUN-PHOTO to post the sanction results on its website.

 

 

4. Key Takeaways 

 

Recently, a series of data breaches occurred due to failures to implement adequate safeguards, including poorly managed access controls and failures to put secure authentication methods in place. To prevent such malpractice, the PIPC urges data controllers to restrict access by configuring IP ACLs. In particular, data controllers should implement additional authentication methods when it comes to access from outside the organization to ensure data security.

 

* A PDF file, formatted for better readability, is attached.  

 

 

Previous
The PIPC Shared Its Way to Respond to AI with Data Protection Authorities Around the World
Next
no data found