South Korean DPA Fines 3 Companies for Hacking Failures

EJON Co., an online educational content service provider, The Zone Housing Co., a construction design consultant, and Leisure Plus, a golf course reservation platform, leaked customer information due to SQL insertion attacks, the DPA said.

An SQL insertion attack is a technique that manipulates a database by using a website vulnerability to execute malicious SQL (database command) statements, the watchdog said.

Personal information of nearly 70,000 EJON members was leaked and posted on Telegram from August 2021 to August 2024, the DPA said. Its investigation showed that the company failed to check for vulnerabilities, detect and block attempts to leak personal information, encrypt resident registration numbers and report the breach in a timely fashion. It was fined 11.46 million South Korean won ($7.8 million).

The Zone Housing was fined 5.58 million won ($3.8 million) after a hacker's SQL attacks exposed the personal information of nearly 34,000 members and posted it on Telegram, the DPA said. It found the company failed to operate a system to detect and block SQL attacks in advance and lacked inspection measures for vulnerabilities and encryption measures for customers' passwords, among other problems.

The watchdog fined Leisure Plus 6.12 million won ($4 million) for SQL injection attacks in September 2024 and October 2024 in which data from more than 160,00 members leaked. The investigation confirmed that the company failed to manage the vulnerability of the attack and detect the breach attempt in advance. Password measures for members were also insufficient, the DPA said.