LG U+ fined as a third party downloads and sells customer data

LG U+ was hit with 21.6 million won ($20,000) in government fines for a failure to secure customer data, which led to a massive breach and unauthorized sharing of sensitive information.

The Personal Information Protection Commission (PIPC) announced Wednesday that it imposed a total of 75 million won in fines on four companies: LG U+, two of the mobile carrier’s brick-and-mortar stores and a third-party company that had illegally leaked LG U+’s customer information.

LG U+ subscribers to high-speed internet were victims of the data leaks.

This is the first case in which a telecommunications company was held directly responsible and penalized for customer data leaks that happened at its branches. These stores are not directly run by headquarters but are more like franchises run by individual owners.

According to the PIPC, the two LG U+ branches hired a company named ITL to manage information of new subscribers to LG U+’s high-speed internet. This was done without the consent of headquarters.

In the process, ITL was granted access to the carrier’s internal system between September 2016 and June 2019. ITL then saved LG U+ customer information without encryption and sold it to clients.

The two stores were fined a total of 23.2 million won for violating laws on personal data protection. ITL was fined 30.2 million won for illegally collecting and selling customer information.

The commission concluded LG U+’s ignorance about the three-year-long data leak was itself a violation of the domestic data protection law.

“While an unauthorized company accessed its user information system between September 2016 and June 2019, LG U+ neglected its duty to monitor these records and failed to properly supervise its branches,” the PIPC said.

Of the 21.6 million won fine, 1.16 million won was for loose supervision, while the other 10 million won was imposed for failing to keep a third-party company away from its customer database.