South Korea's Personal Information Protection Commission held its sixth full committee meeting on Tuesday. It imposed a 280 million won penalty and a 7.2 million won fine on British auction house Cristie, Manson & Woods, Ltd. for violating personal data protection rules. The commission also ordered the disclosure of the sanction.

Christie's said personal data on 620 South Korean members was leaked after a helpdesk employee was deceived by a hacker's voice-phishing scam and granted the hacker access rights to the personal information processing system.

The probe found that when Christie's received requests to reset passwords needed to access its personal information processing system, it reissued passwords after checking only basic information such as a requester's hiring date and department. It did so without separate secure authentication methods such as text message or email verification.

At the time of the hacking, it reset the password without following even that verification procedure. It also changed the phone number required for account access to the hacker's phone number.

The commission also confirmed violations of security obligations, including storing customers' resident registration numbers, driver's licence numbers and passport numbers without encryption. It also found Christie's collected and stored resident registration numbers of Korean members to verify identity without a legal basis to process such numbers. It also reported and notified the data leak more than 72 hours after recognising it, without a valid reason.

The commission said it imposed the penalty and fine and ordered Christie's to disclose the sanction on the company's website. It urged personal information processors to apply and manage authentication methods securely so that those without legitimate access rights cannot easily extract or steal them.