Three Companies, Three Very Different Penalties
At its 13th plenary meeting on July 8, 2026, South Korea's Personal Information Protection Commission (PIPC) sanctioned three unrelated businesses for the same category of failure: neglecting basic access controls on systems holding customer data. Lock&Lock, the plastic-container maker, was fined ₩503 million plus a ₩5.4 million administrative penalty after hackers exploited an unpatched mail-server vulnerability — one publicly disclosed back in 2022 — to steal a member database of roughly 1.3 million people in May 2024, then returned in November to pull employee records. Ubase, a call-center outsourcing firm, was fined ₩168 million after an unrestricted admin account exposed 1,852 inquiry-board users' data, later posted to Telegram. Sun Photo, a small camera-and-video retailer, drew the lightest penalty — ₩30 million — after a hacked admin page leaked roughly 170,000 members' details, which was then used to attempt voice-phishing against at least one customer (Khan.co.kr; Seoul Economic Daily).
Combined, the three penalties total ₩701 million and cover roughly 1.47 million affected individuals — precisely the headline figure regulators cited. But the aggregate number obscures the more interesting story: the PIPC did not treat these cases identically, and that distinction matters.
The Case for Tough Enforcement
The regulator's underlying complaint is fair. None of these breaches involved a sophisticated nation-state actor or a novel exploit. Lock&Lock left a two-year-old vulnerability unpatched, reused identical passwords across administrator accounts on critical servers, left personally identifying information unencrypted, and failed to notice large abnormal data transfers until hackers emailed the company directly. Ubase and Sun Photo both ran administrator panels reachable from the open internet with no IP allow-listing and no multi-factor authentication layered on top of a password. These are not edge-case failures requiring specialized security expertise to prevent — they are baseline hygiene that any company processing personal data at scale is expected to maintain under Article 29 of the Personal Information Protection Act, which requires firewalls, access-control systems, and encryption of identifying information (Personal Information Protection Act, official English translation). A regulator that let this pass without consequence would be signaling that negligence carries no cost, and that signal would be worse for consumers — and ultimately for the digital economy's credibility — than the fines themselves.
Why the Gradation Matters More Than the Total
Where this ruling earns credit is in what it didn't do: apply a one-size-fits-all number. Lock&Lock's fine is roughly 17 times Sun Photo's, tracking company revenue, the scale of exposed data, and — critically — the presence of repeat or compounding failures (an ignored 2022 patch, a second breach seven months after the first, records retained past their legal deletion window). Ubase and Sun Photo, smaller operators whose single-incident lapses were narrower in scope, received penalties an order of magnitude lower. That's proportionality doing its job, and it stands in useful contrast to flat statutory maximums seen in other jurisdictions' privacy regimes, which regulators sometimes reach for regardless of a defendant's size or intent, inviting the criticism that penalties become punitive rather than corrective.
The scale point is easier to see set against the PIPC's other recent action. One month earlier, on June 11, 2026, the same commission fined e-commerce giant Coupang ₩624.68 billion — roughly $409 million — for comparable "basic security negligence" following a breach that exposed data on 37.5 million people, a sum the regulator explicitly called its largest-ever penalty (The Record / Recorded Future News). Coupang's fine is nearly 900 times Lock&Lock's, yet both rulings rest on the identical legal theory: inadequate access control. The PIPC is demonstrating it can size punishment to actual harm and actual capacity to pay, rather than defaulting to headline-grabbing maximums for every violator regardless of context.
The Remaining Gap: Compliance Support for Smaller Firms
Where the framework could still improve is upstream of enforcement. Sun Photo is a small retailer, not a data-driven conglomerate, and its failure — an admin page without IP restriction — is a default many small businesses inherit from off-the-shelf e-commerce software rather than a deliberate cost-cutting choice. A ₩30 million fine plus a public disclosure order is a reasonable, proportionate response after the fact. But the PIPC's own commentary — urging firms to "restrict access via IP addresses" and apply authentication "beyond passwords" — reads like guidance that would have been more valuable delivered before the breach, through the sort of low-cost technical baseline checklist that regulators in other jurisdictions distribute to SMEs. Proportionate penalties are the right instrument for correcting negligence after the fact; proportionate enforcement can't fully substitute for proportionate prevention aimed at the businesses least equipped to hire dedicated security staff.
Still, this ruling is a template worth noting elsewhere: publish the failures specifically, size the fine to the actual violator, and reserve the largest numbers for the largest, most repeat-prone offenders. That's a more defensible model than either toothless enforcement or blunt maximum penalties applied uniformly.