(December 11, 2025, 04:29 GMT | Official Statement) — According to MLex, South Korea’s privacy regulator has imposed a total fine of 300 million won (approximately $203,000) on 2K Games, a prominent US game company, and the Busan International Financial Promotion Center (BIFC) over serious data breaches. The Personal Information Protection Commission (PIPC) has levied a substantial fine of 217.1 million won against 2K Games, attributable to a breach in 2022 that compromised the personal information of 12,906 users in South Korea. This incident is part of a more extensive global issue that affected around 4 million users worldwide. Furthermore, the BIFC has incurred a fine of 99 million won following a ransomware attack in 2024 that impacted its internal management system, which housed the personal data of 177 employees. Investigations revealed that the BIFC’s systems suffered from vulnerabilities due to inadequate firewall defenses, outdated Windows security patches, and the unencrypted storage of sensitive resident registration numbers.
Prepare for Tomorrow’s Regulatory Changes Today
At MLex, we recognize the risk posed to businesses by evolving regulatory landscapes. Our specialized reporters worldwide deliver exclusive insights and comprehensive analyses concerning proposals, investigations, enforcement actions, and rulings critical to your organization and clientele, both now and in the future.
Stay ahead of the curve with features including comprehensive daily newsletters covering Antitrust, M&A, Trade, Data Privacy & Security, Technology, AI, and more. Receive personalized alerts tailored to your practice needs, focusing on geographies, industries, topics, and companies relevant to you. Moreover, our expert journalists provide predictive analyses across North America, the UK and Europe, Latin America, and Asia-Pacific.
We also offer curated case files that consolidate news, insights, and source documents into a coherent timeline for easy reference. Experience the comprehensive offerings of MLex today with a 14-day free trial.
In analyzing these incidents, it is essential to recognize the tactics that attackers may have employed. The breaches suggest potential adversarial actions aligning with several MITRE ATT&CK tactics. For example, the initial access may have been gained via phishing or exploitation of vulnerabilities within the systems, while persistence could have been established through malware that remains undetected. The issue of privilege escalation in both incidents raises profound implications for data security protocols moving forward. Cybersecurity stakeholders must remain vigilant against such breaches to safeguard sensitive information and comply with regulatory requirements.
