개인정보보호위원회는 12일 전체회의를 통해 개인정보 유출사고가 발생한 LG유플러스에 대해 과징금 68억원과 함께 과태료 2,700만 원을 부과하고 전반적인 시스템 점검 및 취약부분 개선 등 재발 방지를 위한 시정조치를 의결했다.
▲Personal Information Protection Committee plenary meeting on the 12th
Service infrastructure and security environment vulnerabilities revealed
LG Uplus, “64 billion won in security-related spending in the first half of the year”
LG Uplus was fined 6.8 billion won for violations related to a personal information leak.
The Personal Information Protection Commission decided in a plenary session held on the 12th to impose a fine of 6.8 billion won and a penalty of 27 million won on LG Uplus for the personal information leak incident, and to take corrective measures to prevent recurrence, such as conducting a comprehensive system inspection and improving vulnerable areas.
Last January, LG U+ had about 600,000 pieces of personal information (about 300,000 pieces when duplicates are removed) exposed to an illegal transaction site by hackers.
The Personal Information Protection Commission conducted an investigation in cooperation with the public-private joint investigation team and the police, and announced the results in April. According to the analysis results by the Personal Information Protection Commission and the Korea Internet & Security Agency (KISA), a total of 297,117 personal information items (after removing duplicates) were confirmed to have been leaked, and the leaked items included 26 items, including mobile phone number, name, address, date of birth, email, ID, and USIM unique number.
Among the various systems of LG Uplus, the system that most closely matches the leaked data is the Customer Authentication System (CAS), and the leak was confirmed to have occurred around June 2018.
Since January, the Personal Information Protection Commission has been investigating LG U+’s personal information status and compliance with the Personal Information Protection Act and has identified major violations.
First, the service operation infrastructure and security environment of the Customer Authentication System (CAS) were found to be vulnerable to illegal intrusions by hackers and others until January 2023, when the investigation began. It is explained that most commercial software was discontinued or technical support ended as of June 2018, when the leak is believed to have occurred.
In addition, basic security equipment such as firewalls, intrusion prevention systems (IPS), and web firewalls were not installed, or even if they were being installed, security policies were not properly applied, and technical support for some of them was discontinued. It was found that malicious code uploaded to the Customer Authentication System (CAS) development period remained without being deleted until January 2023, and that no inspection of web shells or IPS security policies were applied.
LG U+ operates its Customer Authentication System (CAS) by dividing it into development, inspection, and operation phases. After moving the actual operational data (including personal information) managed by the Customer Authentication System (CAS) operation phase to the development and inspection phases and conducting tests, some of the data was left unattended, resulting in over 10 million old pieces of personal information remaining at the time of the investigation.
Lastly, it was confirmed that a large amount of personal information was managed and that the access rights and access records of personal information handlers were not properly managed. Management control was poor, such as not leaving records of large amounts of personal information being transmitted and not being able to confirm whether there were any abnormal activities.
The Personal Information Protection Commission decided to impose fines and penalties for violations of the Personal Information Protection Act, and to issue corrective orders, including an overall system inspection and improvement of vulnerable elements. It also requested that various investments related to personal information protection and secondary damage prevention measures promised since the accident in January be implemented without a hitch.
Meanwhile, LG Uplus announced on July 12 that it would increase its information security investment to KRW 100 billion, more than three times the previous amount in February, and that it had executed approximately KRW 64 billion in the first half of the year.
Among the 110 total promotion tasks, the main investment areas are vulnerability inspection, integrated monitoring control, infrastructure investment, etc. In addition, it was revealed that human investment is being made through strengthening of information security personnel, expansion and reorganization of security organization, recruitment of Chief Information Security Officer (CISO), strengthening of security verification system through establishment of 'Information Security Advisory Committee', and operation of Information Security Department in conjunction with Soongsil University for talent cultivation.