South Korea's Personal Information Protection Commission (PIPC) has imposed a total fine of KRW 444.6 million on two entities—Haesung DS (KOSDAQ: 195870), a South Korean manufacturer of package substrates and lead frames, and Jeonnam Technopark—for violating personal data protection laws. Both were also ordered to disclose the penalties on their official websites.

The PIPC disclosed the decision following its 16th plenary meeting on July 23.

Haesung DS experienced a major data breach in October 2023 when an unidentified hacker exploited a known vulnerability in the company's SSL-VPN equipment to access its internal network. The attacker stole personal information from 73,975 individuals—including shareholders, employees, and partner company staff—and deployed ransomware on internal servers.

According to the investigation, the vulnerability had been publicly disclosed by the equipment maker and Korea Internet & Security Agency (KISA) as early as June 2023. However, Haesung DS failed to apply the necessary security updates prior to the attack. The PIPC also found that antivirus and malware protection systems were either inactive or insufficient during the incident period.

As a result, Haesung DS was fined KRW 343 million and ordered to publish the penalty on its website for failing to fulfill its data protection obligations.

Jeonnam Technopark, a non-profit foundation that supports small and medium-sized enterprises (SMEs), was also fined KRW 98 million with an additional KRW 3.6 million in administrative penalties. In November 2023, a hacker illegally accessed its Jeonnam Science & Technology Information System, deleted the entire user database, and left a ransom note demanding payment. The database contained personal information of approximately 1,200 users.

Investigators found that Jeonnam Technopark used easily guessable administrator credentials, stored passwords using weak MD5 encryption, and transmitted passwords without encryption. It also failed to restrict access by IP, detect intrusion attempts, or properly log system access.

Although Jeonnam Technopark detected the breach on November 23, it delayed the mandatory report until November 30—beyond the 72-hour window required by law—and only disclosed the breach publicly on December 1.

The PIPC emphasized that these incidents highlight the growing threat of ransomware and data breaches targeting companies with unpatched or poorly secured systems. The agency urged all organizations to review and strengthen their security protocols, especially those using VPN and other perimeter-access equipment.