D&A LLC successfully represented an e-commerce company (“Client”) in a case involving a large-scale personal information breach. The Client’s personal information system was compromised through an SQL injection attack, resulting in the leakage of approximately 530,000 records of sellers and customer data. The compromised information included sensitive personal data, such as resident registration numbers. Consequently, the Personal Information Protection Committee initiated an investigation into the incident.

Representing the Client, we argued that the Client’s liability should be mitigated, emphasizing that the compromised system had been developed and operated not by the Client itself, but by a company that had merged with the Client prior to the incident. We further highlighted that the Client had exercised its best efforts to ensure the security of the system currently in operation.

Furthermore, we contested the base amount used in calculating the administrative fines, including the sales figures and those unrelated to the alleged violation. In particular, we demonstrated that the Client operates across multiple service sectors and manages several independent websites. We also confirmed that the revenues of each service sector are generated through distinct distribution channels.

Focusing on minimizing the sales amount used as the basis for calculating administrative fines, we presented sufficient evidence demonstrating that the sales generated from each sector, website, and channel should be deemed unrelated to the alleged violation. We also submitted both primary and alternative calculation methods for determining the appropriate fines.

Following the Committee’s deliberations, we ultimately secured a favorable outcome, with the administrative fines reduced to less than 20 percent of the amount initially anticipated.