“Personal information divulgence” and “personal information exposure” are easily seen in newspaper headlines. The words divulgence and exposure seem similar, but they are two difference concepts.
What is Personal Information Divulgence?
Personal information divulgence refers to a situation in which a legal person, organization, individual, etc. operating personal information or relevant statutes loses its control over personal information or in which unauthorized parties’ access is allowed. Personal information divulgence, defined in the Personal Information Protection Act, is subject to criminal penalties.
In accordance with the Personal Information Protection Act, it is considered personal information divulgence if falling under any of the following circumstances.
1. Where any written documents, portable storage devices, portable computers, etc. containing personal information are lost or stolen;
2. Where a person with no normal authority for access to personal information processing systems such as database accesses such a system;
3. Where any files, paper documents, or other storage media containing personal information are wrongly delivered to an unauthorized person due to wrongful intent or negligence of a personal information controller;
4. Where personal information is delivered to any unauthorized person.
One of the recent personal information divulgence incidents is the BALAAN case that happened on March 16, 2022. An unauthorized person accessed the personal information of the members of the luxury brand online shopping mall BALAAN in an abnormal way and the personal information of customers such as e-mails, telephone numbers, and dates of birth were divulged. BALAAN said that they introduced an additional intrusion prevention system and conducted 24-hour monitoring to minimize secondary damage. However, additional hacking damage occurred in April, one month after the initial incident, which showed security vulnerabilities. In addition, there were other customer information divulgence incidents including the Jeju Air passengers’ payment information (Mar. 2021), personal information of Seoul National University Hospital’s patients and employees (Jul. 2021), and personal information of Millie’s members (Jun. 2022).
What is Personal Information Exposure?
Personal information exposure refers to a situation in which personal information leaks out and is disclosed by hackers, etc. Sometimes personal information is exposed due to a data subject’s mistake, instead of wrongful intent of a third party. Unlike personal information divulgence, personal information exposure is not legally defined and not subject to criminal penalties.
As one of the personal information exposure cases, the personal information of around 310,000 Coupang members were exposed in October 2021. In Coupang App, other members’ names and addresses were exposed at the product order confirmation step for one hour. Coupang said that the incident occurred during the app improvement work and all necessary security measures were taken.
Personal Information Divulgence and Exposure Increased During the COVID-19 Pandemic
As online activities increased after 2022 when the COVID-19 pandemic began, data and personal information divulgence and exposure incidents have continuously occurred both at home and abroad. According to “2021 Survey on Personal Information Protection” jointly published by the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA), it was found that 44.3% of the Korean people have experienced personal data breaches for one year. According to the Cost of a Data Breach Report 2021 published by IBM Security to analyze data breaches that occurred in 500 enterprises and organizations all over the world, the average loss of data breach incidents were found to be approximately KRW 4.9 billion. In particular, the damage from ransomware attacks was around KRW 5.3 billion, which is greater than other types of hacking damages. It was found that cyber incidents were not properly handled since the level of security for telecommuting and cloud migration increasing during the COVID-19 pandemic was not high enough yet.
What is the Solution for Enterprises?
Personal information divulgence and exposure incidents are occurring regardless of the sizes of enterprises, whether they are large enterprises or middle-standing enterprises. To protect significant data and information, enterprises need proper measures such as information encryption and access control that allows only authorized users’ access to data. SINSIWAY’s access control solution PETRA allows you to establish an effective corporate security system through its outstanding functions including integrated audit log management, central security policy management, audit logging, and authority separation by security manager. In addition, the encryption solution PETRA CIPHER protects important information safely by encrypting data and files based on its certified encryption module and duplication encryption prevention technology. Enterprises will be able to prevent data divulgence and exposure incidents and protect corporate data and customers’ personal information safely through the access control and encryption solutions. It is important to take prior action for protecting significant data, but follow-up action such as notification and proper remedies should be proactively conducted as well.
Source & Reference
Personal Information Protection Act
Personal Information Protection Commission