Louis Vuitton drew the heaviest penalty at KRW 21.385 billion. In that case, an worker’s system was compromised by malware, permitting menace actors to reap SaaS account credentials. The breach resulted within the publicity of private information belonging to roughly 3.6 million people throughout three separate incidents between June 9 and June 13 of final yr. Regardless of having used the SaaS platform since 2013, Louis Vuitton Korea had by no means applied IP-based entry restrictions or enforced stronger authentication for distant entry.
Christian Dior Couture Korea was fined KRW 12.236 billion, plus an extra KRW 3.6 million in penalties. In Dior’s case, a customer support consultant fell sufferer to a voice phishing (vishing) assault and immediately provisioned SaaS entry to the attacker, resulting in the publicity of private information for roughly 1.95 million people. The corporate had did not implement IP-based entry controls, had not restricted the usage of bulk information export instruments, and had not carried out month-to-month entry log evaluations — lapses that allowed the breach to go undetected for greater than three months. The PIPC additionally confirmed that Dior missed the statutory 72-hour window for notifying authorities and affected people as soon as the breach was found.
Tiffany Korea obtained a superb of KRW 2.412 billion and an extra KRW 7.2 million in penalties. The assault vector mirrored Dior’s: A customer support worker was socially engineered by way of a vishing scheme and granted the attacker entry privileges, ensuing within the compromise of private data for roughly 4,600 people. Tiffany likewise lacked IP-based entry controls and bulk obtain restrictions, and did not report the breach throughout the required 72-hour timeframe.
