Controversy is spreading after it was belatedly disclosed that personal information of about 100,000 customers was leaked from a golf course in Gapyeong, Gyeonggi Province. Amid a recent string of major data breaches, critics say the leaked information includes sensitive data such as addresses and mobile phone numbers, raising concerns about secondary damage.
According to reporting by Seoul Economic Daily on Tuesday, the National Police Agency's Security Investigation Command Division has detected signs of hacking on the Li&Li Country Club (Li&Li CC) website and is conducting a related investigation. Investigators are also pursuing the possibility that the attack was carried out by a hacking group linked to North Korea.
The hack occurred on October 21 last year. The incident came to light when the National Police Agency's Security Cyber Investigation Division notified Li&Li CC of the breach on the 17th of last month. Users were informed the following day through a notice on the website and text messages.
The leaked personal information was found to be wide-ranging, including names, dates of birth, gender, user IDs, passwords, mobile and landline phone numbers, emails, and addresses. However, for members who signed up after the login system was revamped on February 5, 2023, six items were leaked, excluding user IDs, passwords, and landline phone numbers.
Police confirmed that they uncovered the data leak while investigating a North Korean hacking group. "The server is presumed to have been infected with malware distributed by the hacking group," a police official said. "We are also looking into a possible connection with a North Korean hacking group."
As such data breaches continue to recur, social awareness is growing. On the 24th of last month, the Seoul Metropolitan Police Agency's Cyber Investigation Unit was confirmed to be investigating a case in which personal information of 430,000 members was leaked from matchmaking firm Duo Information (Duo).
The leaked personal information included not only names and contact details but also physical measurements, religion, sibling relationships, school names, and employer names. According to the Personal Information Protection Commission, a hacker infected a Duo employee's work PC with malware in January last year, then downloaded and leaked members' personal information. The commission imposed a penalty of 1.197 billion won ($870,000) and an administrative fine of 13.2 million won on Duo. However, some critics argued that stronger sanctions should have been imposed, given that the leaked information could reveal the overall lifestyle of 430,000 members.
Meanwhile, as personal information leaks continue at major companies including SK Telecom, Coupang, and Lotte Card, there are signs that government regulations are being tightened. A representative example is the revised Personal Information Protection Act, which takes effect on September 11. The revised law centers on the introduction of punitive fines, incentives for preventive investment, a notification system for potential leaks, and strengthened accountability for chief executives and personal information protection officers.
