Louis Vuitton drew the heaviest penalty at KRW 21.385 billion. In that case, an worker’s gadget was compromised by malware, permitting risk actors to reap SaaS account credentials. The breach resulted within the publicity of non-public information belonging to roughly 3.6 million people throughout three separate incidents between June 9 and June 13 of final yr. Regardless of having used the SaaS platform since 2013, Louis Vuitton Korea had by no means carried out IP-based entry restrictions or enforced stronger authentication for distant entry.
Christian Dior Couture Korea was fined KRW 12.236 billion, plus a further KRW 3.6 million in penalties. In Dior’s case, a customer support consultant fell sufferer to a voice phishing (vishing) assault and straight provisioned SaaS entry to the attacker, resulting in the publicity of non-public information for about 1.95 million people. The corporate had didn’t implement IP-based entry controls, had not restricted the usage of bulk information export instruments, and had not carried out month-to-month entry log evaluations — lapses that allowed the breach to go undetected for greater than three months. The PIPC additionally confirmed that Dior missed the statutory 72-hour window for notifying authorities and affected people as soon as the breach was found.
Tiffany Korea acquired a high quality of KRW 2.412 billion and a further KRW 7.2 million in penalties. The assault vector mirrored Dior’s: A customer support worker was socially engineered by means of a vishing scheme and granted the attacker entry privileges, ensuing within the compromise of non-public info for about 4,600 people. Tiffany likewise lacked IP-based entry controls and bulk obtain restrictions, and didn’t report the breach throughout the required 72-hour timeframe.
