South Korea's Personal Information Protection Commission held its third plenary meeting on Feb. 11 and ordered Louis Vuitton Korea, Christian Dior Couture Korea and Tiffany Korea, luxury brand retailers that violated the Personal Information Protection Act, to pay a combined 36.03 billion won in fines and 10.8 million won in administrative penalties and to publicise the sanctions.

All three companies suffered personal data leaks while using a software-as-a-service-based customer management service, the commission said.

Louis Vuitton said an employee device was infected with malware and hackers stole SaaS account information, leading to the leak of personal information of about 3.6 million people in three incidents.

Louis Vuitton introduced and operated the SaaS from 2013 to manage purchasing customers and others. It did not restrict access rights by internet protocol, or IP, addresses and did not apply secure authentication methods when personal information handlers accessed the system from outside, it said. The commission fined Louis Vuitton 21.39 billion won and ordered it to disclose the sanction on its website.

Dior leaked personal information of about 1.95 million people after a customer service employee was deceived by a hacker voice-phishing scam and granted the hacker access rights to the SaaS. Dior introduced and operated the SaaS from 2020 to manage purchasing customers and others. It did not restrict access rights by IP addresses and did not limit the use of tools that support bulk data downloads. It did not check access logs such as whether personal information was downloaded at least once a month, and confirmed the leak more than three months later.

The commission also found that Dior, after recognising the leak on May 7 last year, made a leakage notification after more than 72 hours without a justified reason. The commission fined Dior 12.24 billion won and imposed a 3.6 million won administrative penalty, and ordered it to disclose the sanction on its website.

Tiffany, like the Dior case, leaked personal information of about 4,600 people after a customer service employee was deceived by a hacker voice-phishing scam and granted the hacker access rights to the SaaS. Tiffany introduced and operated the SaaS from 2021 for marketing. It did not restrict access rights by IP addresses and did not limit the use of tools that support bulk data downloads.

The commission also found that Tiffany, after recognising the leak on May 9 last year, reported and notified the leak after more than 72 hours without a justified reason. The commission fined Tiffany and imposed an administrative penalty, and ordered it to disclose the sanction on its website.

Many companies have recently introduced and operated SaaS from global companies to cut initial build costs and improve maintenance efficiency, the commission said. When a company introduces SaaS for customer management and processes personal information, it is deemed a personal information processing system, so it must take steps such as granting differentiated access rights within the minimum scope needed for work. It must restrict IP addresses to control unauthorised access and apply secure authentication methods, such as one-time passwords, certificates or security tokens, when accessing a personal information processing system from outside.

The commission emphasised that even when a company introduces SaaS, responsibility for safely managing personal information is not exempted or transferred, and a personal information processor must sufficiently apply the personal information protection functions provided by the service to prevent data leak incidents.