The US burger giant’s South Korea operation has been fined 706 million won (roughly $551,000) for breaking the nation’s data privacy laws for its treatment of South Korean users’ information.
The South Korean privacy regulator, the Personal Information Protection Commission (PIPC), held its fifth plenary session on Wednesday and decided to fine McDonald’s alongside five other companies over privacy violations. The US burger giant was given the biggest penalty among the six firms.
The PIPC said that McDonald’s had mishandled customers’ data and let attackers gain access to more than 4.8 million South Korean users’ data, which is almost 10 percent of the country’s population. The PIPC did not immediately respond to The Readable’s request for details about the information that has been affected.
The privacy regulator added in the statement that the burger chain failed to notify its customers about the breach and did not adequately inform regulators about the leakage with in the required time. The South Korean privacy law states that companies must notify users and report data exposures to regulators within 24 hours after they have discovered the breach. Moreover, the PIPC discovered that the burger chain had stored 766,846 users’ personal information beyond their retention period.
This decision was one of the results of the privacy regulators’ investigation of the burger chain’s data breach in 2021. According to foreign news reports, McDonald’s revealed in June of 2021 that they had suffered from a data breach which led to the exposure of personal information of customers, such as emails, phone numbers, and addresses, in South Korea and Taiwan. In the reports, the burger giant stated that no customer payment information was affected.
The Readable reached out to the McDonald’s South Korea operation, but the company did not immediately respond to the request for comment about the PIPC’s decision.