보안 사고 및 개인정보보호 뉴스레터 — 2026-07-06
This newsletter covers the latest data breach incidents, legal precedents, and regulatory shifts for CISOs and CPOs. IMPORTANT: All content is based strictly on publicly available information.
보안 사고 및 개인정보보호 뉴스레터 — 2026-07-06
1. Data Breach Incidents and Implications
SK Telecom data breach and penalty
SK Telecom has been issued a 134.8 billion KRW fine following a data breach. The Personal Information Protection Commission (PIPC) calculated the penalty based on the scale of damages and also imposed a suspension of new service sales on SKT. This case underscores that the severity of data exposure and a company's failure to implement adequate safety measures directly influence penalty assessments.

Woori Bank experiences leak of 17,551 customer records
A breach involving 17,551 customer records occurred at Woori Bank. The bank identified that an external developer had improperly retained the data during an NFT platform development project. Currently, there are no reported cases of this information being disseminated or misused either online or offline.

US House report sparks controversy over Coupang data breach
The U.S. House of Representatives has released a report regarding the massive data breach at Coupang. The report raises questions about the South Korean government's penalty criteria in light of the 624.7 billion KRW fine imposed on the company, signaling a growing international debate over the regulatory gap between domestic and global firms.

2. Paradigm shift in data privacy in the AI era
Companies are now confronting emerging threats such as deepfake videos and AI-driven cyberattacks. As artificial intelligence becomes deeply integrated into daily life, many argue that existing data privacy rules are no longer sufficient. The government is pushing for a complete overhaul of the personal information protection framework to match the AI era.

3. Latest status of the Personal Information Protection Act (Must-read for CISO/CPO)
Expansion of information security disclosure requirements and ISMS inclusion
Information security disclosure obligations are being expanded to include all corporations listed on the KOSPI and KOSDAQ markets. Additionally, firms designated as 'ISMS (Information Security Management System) mandatory companies' under the Information and Communications Network Act as of the end of the previous year are newly included. This means the security capabilities of all listed companies will be subject to public assessment.
February 2026 Amendment: Strengthening corporate responsibility
The amendment to the Personal Information Protection Act passed by the National Assembly on February 12, 2026, mandates that business owners or CEOs bear a legal obligation to implement effective, overall management measures, including securing specialized personnel and providing sufficient budget for data protection. Insufficient investment or inadequate management systems may be deemed as gross negligence, potentially leading to fines exceeding annual operating profits.
Mandatory Board reporting and role separation for CPO and CISO
Under the amended Act, both the CPO and CISO are required to report to the Board of Directors. Companies must reorganize their reporting structures to resolve potential conflicts before the law takes effect. Since documented investment in security budgets and personnel can now serve as grounds for reducing penalties, auditing corporate security governance is essential.
Editor's Note: This newsletter covers information released after July 4, 2026. For detailed information on the latest regulatory trends, please refer to the official website of the Personal Information Protection Commission.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.