The PIPC Sanctions CLASSU and KT alpha for Violations of the PIPA 

South Korea’s data protection regulator issued the following press release concerning recent enforcement actions (unofficial translation follows):

– The PIPC calls for putting access control and other privacy-safeguarding measures in place in preparation for credential stuffing and other intrusion attempts

The Personal Information Protection Commission (PIPC) held its eighth plenary meeting of 2025 and reached a decision to sanction CLASSU Inc. (CLASSU) and KT alpha (KT alpha Co., Ltd.) for violations of the Personal Information Protection Act (PIPA) by imposing a penalty for violations of KRW 58.51 million and a penalty for wrongdoing of KRW 14.1 million in total, along with publication of sanction results on the PIPC’s website and publication order.

[Note: KRW 58.51 million = USD $41,251.00. KRW 14.1 million = USD $9,940.85.]

The following explains the two businesses’ violations and sanction results.

1. CLASSU: A penalty for violations of KRW 53.6 million, a penalty for wrongdoing of KRW 7.2 million, along with correction and publication orders

An unidentified hacker acquired access to a database (DB) administrator account in an unknown way, resulting in data breaches of 1.6 million users from August 1, 2023, to July 25, 2024. A route of account takeover (ATO) has not been identified, however it was found that CLASSU’s personal data processors stored and operated files that contained DB access information on a platform for developers in an open way. It is presumably the possible route for an ATO.

The PIPC’s investigation found that CLASSU failed to put a sufficient amount of privacysafeguarding obligations in place. An access control list (ACL) was not appropriately under control by failing to limit access authority to a limited number of IP addresses. CLASSU’s personal data processors shared an administrator’s account without legitimate reasons and stored users’ resident registration numbers (RRNs) and account numbers without having them encrypted.

Moreover, CLASSU failed to store destruct the copies of identity that already fulfilled the initial purposes of processing. The business also delayed its data breach report. The PIPA stipulates that personal data processors should notify of a data breach after they become aware of that incident within 72 hours. Given CLASSU’s financial viability and other capabilities, however, the PIPC applied a reduction in the imposition of penalties on the business. The penalty can be reduced by up to 90% in consideration of a violator’s financial viability and other capabilities pursuant to relevant notification of the PIPC.

In this regard, the PIPC decided to impose a penalty for violations of KRW 53.6 million and a penalty for wrongdoing of KRW 7.2 million on CLASSU, along with a publication order of sanction results on the business’ website. The PIPC also issued a corrective order on CLASSU to establish concrete privacy-safeguarding plans, including overhauling security vulnerabilities and taking subsequent measures. The PIPC will keep an eye on CLASSU’s preventive and remedial measures.

2. KT alpha: A penalty for violations of 4.91 million, a penalty for wrongdoing of KRW 6.9 million, along with publication of the sanction results on the PIPC’s website 

Hackers used credential stuffing that inserts stolen usernames and passwords into a website’s (giftishow) login fields to achieve an ATO from January 28, 2023, to February, 2023, leading to a data breach of giftishow’s users.

Attackers use credential stuffing to attempt to log in using a large number of previously discovered credential pairs, such as lists of usernames and the corresponding passwords, to achieve an ATO. As a result, the number of log-in attempts and failures is significantly on the rise.

The PIPC’s investigation shows that the hackers used 4,305 IP addresses to attempt login into giftshow’s website for more than 5.4 million times during the aforementioned period and successfully logged into about 98,000-member accounts. Among these accounts, they gained access to the websites that contain personal information with 51 members’ accounts. They caused secondary damage, such as viewing users’ personal information and using points in an unauthorized manner. Hackers attempted 1,140 logins per minute for the same IP address and the number of daily log-in attempts during the period was 550 times higher, according to the PIPC’s investigation results.

KT alpha was too complacent in safeguarding duties, such as the management of intrusion detection and prevention and the operation of anomaly detection and response systems in preparation for repetitive log-in attempts with specific IP addresses. All these insufficient data practices resulted in a data breach. 

However, KT alpha took preliminary measures with appropriate masking of personal information on its website. Thanks to this data protection measure, the data breach ended up disclosing 51 users’ personal information, even though the hackers successfully logged into about 98,000 users.

Meanwhile, KT alpha delayed a data breach report even though personal data processors were required to report a data breach after they became aware of the incident within 24 hours to comply with the PIPA before amendments in major parts. 

In this regard, the PIPC decided to impose a penalty of violations of KRW 4.91 million and a penalty for wrongdoing of KRW 6.9 million for violations of the PIPA and publish the sanction results on its website.

Personal data processors should put access control measures in place by allowing only approved users to access their personal information processing systems to prevent potential data breaches.

To prevent credential stuffing attacks by hackers, personal data processors should take safeguarding measures, such as applying anomaly detection and intrusion blocking policies, among others. The PIPC urges personal data processors to pursue policies to apply masking to the webpages containing personal information, saying it can significantly contribute to minimizing potential damages caused by a data breach.