Choi Jang-hyuk, Vice Chairperson of the Personal Information Protection Commission, speaks at a meeting in Jongno District, Seoul, on April 23. [NEWS1]
The Personal Information Protection Commission (PIPC) of South Korea has initiated an investigation following reports from two major insurance general agencies (GAs) regarding significant data breaches. These incidents are believed to potentially affect hundreds of thousands of customers.
The PIPC announced that it has begun a formal inquiry into Youfirst Insurance Marketing and Hana Financial Find, both of which have reported possible personal data leaks. This investigation highlights ongoing concerns over data security in financial services, particularly as GAs act as intermediaries, selling products from multiple insurers under contractual arrangements.
Youfirst Insurance Marketing, which reported revenues of 140 billion won (approximately $100.4 million) in the first half of last year, ranks 16th among domestic GAs. It provides a wide range of insurance products, employing over 1,000 agents and servicing several hundred thousand clients. Hana Financial Find operates as a wholly-owned subsidiary of Hana Insurance and functions as a sales channel for various financial products offered through its parent company and affiliates.
Authorities express concern that the data breach may extend beyond mere policyholder information to include sensitive financial details related to other services offered by Hana Financial Group. The PIPC reported that the breach was likely facilitated through the hacking of administrator accounts linked to a third-party vendor responsible for the agencies’ sales support systems. If these GAs had delegated contracts with insurers concerning customer data management, this could mean exposure of particularly sensitive personal information.
Crucially, even personal data held by financial institutions that is not credit-related is still subject to the Personal Information Protection Act, underscoring the regulatory and legal implications of such breaches. The commission is currently investigating the mechanisms of the leaks and assessing whether the insurance agencies adhered to their data protection obligations.
According to a PIPC statement, any confirmed violations of the law will result in stringent action in accordance with relevant legislation. Additionally, the commission will conduct a privacy compliance audit on the integrated solutions utilized by both companies. Given that the same software provider may serve multiple GAs, officials are also examining whether similar vulnerabilities could exist across the sector.
“We are aware that several other GAs might be using the same compromised sales support system,” a PIPC official remarked, indicating the intention to conduct a thorough evaluation of the entire landscape. The full scope of the potential impacts is still under assessment as officials work to ascertain the extent of the vulnerabilities revealed by the incidents.
This situation serves as a stark reminder of the critical need for stringent data security measures within the financial services sector, reflecting the increasing sophistication of cyber threats. The application of the MITRE ATT&CK framework may provide insights into the tactics and techniques likely employed in these attacks, including areas such as initial access, privilege escalation, and lateral movement, emphasizing the importance of robust cybersecurity protocols that can adapt to evolving adversary strategies.
Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY MOON HEE-CHUL [[email protected]]
