T-money fined 534 million won over personal data leak

The Personal Information Protection Commission (PIPC) announced on the 29th that it had held a plenary meeting on the 28th and decided to impose a total fine of 534 million won on T-money for violating the Personal Information Protection Act, along with issuing a corrective order.
PIPC explained that, based on an investigation launched after a personal data breach report filed on April 11 last year, it confirmed that T-money had neglected its obligation to take security measures required under the Act.
According to PIPC, between March 13 and 25 last year, a hacker broke into the Tmoney Card & Pay website and leaked the personal information of 51,691 individuals. The hacker used a method known as credential stuffing, in which an attacker obtains large numbers of account IDs and passwords from a particular site and then uses automated tools to try the same combinations on other sites until logins succeed. This type of attack is typically marked by a sharp spike in both the number of login attempts and the login failure rate.
During this period, the hacker used 9,647 domestic and overseas IP addresses to launch large-scale login attempts on the Tmoney Card & Pay website, reaching up to 131 attempts per second and 5,265 per minute, for a total of more than 12.26 million attempts. Of these, logins were successfully made to the accounts of 51,691 members, allowing access to web pages containing their personal information. In the process, the hacker also stole about 14 million won worth of T Mileage from 4,131 of the compromised accounts by using the mileage “gift” function, causing additional damage.
PIPC determined that, although clear abnormal signs such as massive, repeated login attempts from specific IP addresses had occurred, T-money failed to properly fulfill its duty to implement security measures, including intrusion detection and blocking and responses to suspicious activity, and that this negligence led to the personal data breach.
PIPC also urged organizations to review and strengthen their security measures, including intrusion detection and blocking for abnormal access and other suspicious behavior, noting that credential stuffing attacks have become increasingly frequent in recent years.
An official at PIPC said, "Measures such as masking personal information on pages where it is displayed, and applying additional authentication when accessing pages that contain personal data, can help prevent further incidents."
yjjoe@fnnews.com Reporter Cho Yoon-joo Reporter