Names and self-introductions of 7.3 million job-hunting students leaked... Korea says it ”didn't know” for two months

Incruit, a South Korean job portal whose personal information of 7.28 million people was stolen in a hacker attack, has been fined 463 million won.
According to the Personal Information Protection Commission on the 23rd, at a general meeting held the previous day, the commission imposed a fine of 463 million won on Incruit and appointed a dedicated Chief Personal Information Protection Officer.
The company was hacked between January and February of this year, resulting in the loss of personal information of 7.28 million members.
The leaked data totaled 438GB and included 18 types of sensitive information, such as applicants' names, contact details, gender, educational background, career history, as well as photographs, copies of qualifications, resumes, and personal statements.
The hacker installed malware on the work computers of Incruit employees, accessed the company's internal database (DB), and then extracted documents over a period of about a month.
Despite the abnormal database access records and repeated high-volume traffic, Incruit received a threatening email from a hacker two months later.
The company only found out about the leak when it received the notice. Security management was also sloppy. The computers of employees who handle sensitive information were not blocked from the Internet network, and personal information was downloaded.
In 2020, Incruit also leaked around 35,000 personal information records, and in July of last year, it was fined 70.6 million won and 3.6 million yen.
The Personal Information Protection Commission stated, "The company ignored abnormal signs and similar problems were repeated even after previous sanctions," and "we have taken strict disciplinary action against the company, judging it to be a serious violation."
Incruit must publish the fact that it has imposed a fine on its website and report within 60 days on measures to support victims and strengthen security.
The Personal Information Protection Commission said, "We are promoting a proposal to improve the surcharge system, which will have a punitive effect on companies that repeatedly leak personal information."
"If they fail to fulfill their obligation to protect information, we will ensure that substantial sanctions are imposed," he said.