Korea Sanctions KAB & Telus International AI over Major Data Breaches & Security Failures

Key Takeaways

• KAB Breach Tied to SQL Injection: The Korea Accreditation Board failed to implement basic input validation and retained sensitive RRNs far past the legal deadline, resulting in a 21,000-person data breach.
• Telus International AI Breach Affected 68 Million: Broken access controls and delayed breach notification led to heavy sanctions, with over 13,000 Koreans impacted.
• Delayed Reporting Penalized: Telus International AI failed to notify authorities and affected individuals within required timeframes.
• PIPC Emphasizes Prevention: Regulators urged all data processors to routinely address known vulnerabilities and update safeguards before an attack occurs.

Deep Dive

South Korea’s privacy watchdog has handed financial penalties to the Korea Accreditation Board (KAB) and Telus International AI for failing to put in place basic safeguards to protect personal data, following significant breaches tied to long-known security vulnerabilities.

In a decision reached during its 14th plenary session on June 25, the Personal Information Protection Commission (PIPC) sanctioned both entities for violating the Personal Information Protection Act (PIPA), imposing combined penalties of more than ₩150 million (approximately $110,000 USD). The Commission highlighted systemic lapses in security controls, ranging from broken access controls to the improper retention of sensitive national identifiers, as central to the breaches.

KAB, a non-profit accreditation and training organization, was penalized ₩61.2 million (around $45,000 USD) after a 2023 data breach exposed over 21,000 individuals’ personal details on GitHub and Telegram. The breach stemmed from a structured query language injection (SQLi), a common form of cyberattack that exploits insufficient authentication and improperly handled user input.

Investigators found KAB had no mechanisms to authenticate user-inputted data on its website, leaving it wide open to SQLi attacks. Worse still, the breach included South Korean resident registration numbers (RRNs) collected from 2001 to 2014, data KAB was required by law to destroy years ago. Under amendments to PIPA, organizations were expected to eliminate RRNs collected before August 2014 within two years. KAB failed to comply, and that legacy data was caught in the breach.

Telus International AI Fumbled Notification, Access Controls

The Canadian-owned Telus International AI faced even steeper penalties—₩89.2 million (roughly $65,000 USD)—after a 2023 cyberattack compromised a staggering 68 million data records, including those of over 13,600 South Koreans. The company, which supports AI data training projects through crowdsourcing platforms, reportedly failed to secure role-based access controls, allowing attackers to exploit broken access controls and gain unauthorized access by logging in as general users.

The PIPC also faulted Telus International AI for a delayed response. The company became aware of the breach on November 2, 2023, but failed to notify authorities until November 14, well beyond the 72-hour deadline mandated under PIPA. Notification to affected data subjects was even slower, coming more than a month later on December 8.

In its official statement, the PIPC called out a broader complacency among data processors in failing to address “common security vulnerabilities” like SQLi and improper access authorization.

“Personal data processors should overhaul and improve their security measures during the development and operation of services on a regular basis,” the Commission said, urging more proactive risk mitigation and vigilance.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.