Security and Privacy Newsletter — May 25, 2026
This newsletter covers recent data breaches, legal precedents, and the shifting regulatory landscape for CISOs and CPOs. In this issue, we highlight the CJ Group employee data breach, the hack of the Ministry of the Interior and Safety’s "1365 Volunteer Portal," and key trends like the upcoming punitive fines in September and new board reporting mandates for CPOs and CISOs.
Security and Privacy Newsletter — May 25, 2026
1. Data Breach Incidents and Insights
① CJ Group Employee Data Leak: Insider Involvement Likely
Personal information of 330 female employees at CJ Group has been leaked. The company has identified an internal employee as the likely perpetrator. This incident, involving intentional data compromise by an insider, serves as a stark reminder of the critical importance of Insider Threat management systems.
② Ministry of the Interior and Safety '1365 Volunteer Portal' Hacked — 930 Records Leaked
The "1365 Volunteer Portal," the largest volunteer platform in Korea operated by the Ministry of the Interior and Safety, was targeted by an external attack, leaking personal data—including names and phone numbers—of 930 users. According to an exclusive report by Kyunghyang Shinmun, this site was previously exploited by members of the 'Nth Room' (Baksa-bang) digital sex crime network. This incident exposes the recurring security vulnerabilities of platforms run by public institutions and highlights the urgent need to strengthen defense systems against external attacks on public infrastructure.
③ 2025 Data Breach Reports Hit 447 — A 45.6% Surge with 167.7 Billion KRW in Fines
In 2025, there were 447 reported cases of personal data leaks, a 45.6% increase from the previous year (307 cases). Total fines and penalties reached 167.7 billion KRW, marking a 172% (108.3 billion KRW) jump in enforcement scale. These figures underscore the rising intensity of regulatory sanctions following a series of major leaks.
2. Breach Cases and Legal Implications
⚠️ Note: No new court rulings issued after May 23, 2026, were identified in this research. The following summarizes key legal insights from recently published legal analysis reports.
① Credential Stuffing Ruled as 'Illegal Access' to Personal Data
Analyses of major precedents concerning safety measures under the Personal Information Protection Act show that courts have ruled credential stuffing as "illegal access." This implies that companies can no longer avoid legal liability simply by claiming to be victims of hacking; the core issue rests on whether they implemented proactive safety measures, such as strengthened authentication systems.
② Underinvestment and Poor Management Can Signal Gross Negligence
Legal analysis suggests that if a lack of security investment or management systems is classified as gross negligence, companies could face financial burdens exceeding their annual operating profits. Furthermore, since proof of investment in security budgets and personnel is legally recognized as a ground for reducing fines, companies must shift their perspective: treating personal data protection and corporate security governance as risk management rather than mere expenses.
③ Customized Pre-emptive Inspection System Starts in Second Half
According to an Asia Economy report, a customized pre-emptive inspection system based on data leak risk levels will launch in the second half of this year. The government also plans to expand information security disclosures to encourage corporate investment. Prompted by the Coupang leak, this system signals a shift toward a prevention-focused framework where companies evaluate their own risks and implement countermeasures.
3. Recent Status of Personal Information Protection Act (Essential for CISO/CPO)
① Punitive Fines of Up to 10% of Revenue Start September 2026
Starting this September, companies responsible for major personal data leaks will face punitive fines of up to 10% of their total revenue. This applies to repeat offenders or companies that leak data of 10 million or more users. The government plans to expand inspections on major public and high-risk information systems. The amendment to the Personal Information Protection Act was promulgated on March 10, 2026.
② Mandatory Board Reporting for CPO and CISO — Coordinating Reporting Lines
Following the amendment passed by the National Assembly on February 12, 2026, business owners and CEOs are now legally obligated to secure expert personnel and sufficient budget for data protection. The law also mandates that both the CPO and CISO report to the board of directors. Legal experts emphasize the need to clarify reporting lines before the law takes effect to prevent organizational conflicts.
③ Mandatory Information Protection Committee and Strengthened CISO Role
Under the amended Information and Communications Network Act and the Personal Information Protection Act, providers meeting certain criteria are now required to establish an Information Protection Committee. The status of information security and key matters must be reported to the board of directors as part of the CISO's duties. Furthermore, the mandatory security disclosure requirements are being expanded to all listed companies to grade and publicize corporate information security capabilities.
Editor's Note: This newsletter is based on data released as of May 23, 2026. Please note that parts of the legal precedents section utilize recently published analysis due to the limited availability of new court ruling sources.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
