Home > National > Social Affairs

Firms to face fines for multiple data breaches, incentives for boosting security

Published: 11 Sep. 2025, 17:42 Updated: 11 Sep. 2025, 19:08

Choi Jang-hyuk, vice chair of the Personal Information Protection Commission, briefs the press on plans to strengthen personal data protection measures following the SK Telecom customer data leak at the government complex in Seoul on Sept. 11. [YONHAP]

Korea plans to impose fines on companies that suffer repeated personal data breaches and hold CEOs responsible for data protection. The government also intends to offer incentives to firms that take proactive steps to protect personal information, the Personal Information Protection Commission (PIPC) announced Thursday.

The move follows April’s SIM card hacking incident at SK Telecom, which highlighted the need for stronger legal and technical safeguards.

President Lee Jae Myung said last Thursday that “the government must prepare measures to ensure a strong response, including punitive fines, against companies that suffer repeated security breaches.”

The government will revise laws and regulations to ensure strict penalties for data breaches. Companies that suffer multiple hacks using the same method will face heavier fines, and fines will be considered as a long-term measure. Authorities are also exploring ways to direct the fines toward compensation for victims. The revision will explicitly state that a company’s chief executive bears final responsibility for protecting personal information.

A pedestrian with a phone walks by a wireless store in Seoul with a notice about SK Telecom's rate plans on Sept. 2. [YONHAP]

Companies that go beyond legal requirements will receive incentives. Firms that encrypt optional data like phone numbers and addresses or install fraud detection systems to block suspicious activity will see their fines reduced if a breach occurs.

Companies that handle data for more than one million people or post revenue above 150 billion won ($108 million) — and are required to appoint a chief privacy officer — will also qualify for incentives if they assign at least one dedicated data protection staff member or allocate at least 10 percent of their information technology budget to data protection.

The PIPC said it will draft the legislative revisions this year and submit them to the National Assembly in the first half of next year. Proposals requiring longer review, such as the fine system, will undergo stakeholder consultations through next year.

Separately, the commission fined Moncler Korea 81 million won and imposed a separate 7.2 million won penalty for violating the Personal Information Protection Act after the personal data of 230,000 customers was leaked. Investigators found that the company failed to introduce an additional authentication step beyond ID and password access for its website administrators between June 2019 and January 2022. Hackers exploited the gap to deploy malware on the server and steal data.

Moncler Korea also delayed notifying customers. The company became aware of the leak on Jan. 17, 2022, but failed to notify customers within the legally required 24 hours, without justification.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY HAN EUN-HWA [[email protected]]