South Korea’s national power distributor sends out 50,000 erroneous emails

By Kuksung Nam, The Readable
Jul. 14, 2023 8:24PM GMT+9

The national electricity distributor mistakenly sent out almost 50,000 emails with users’ personal information to the wrong people more than three months ago.

According to the South Korean lawmaker Kim Sung-won on Friday, the Korea Electric Power Corporation (KEPCO) planned to distribute 5,990,000 emails as part of their customer verification program and sent out 300,000 notifications per day starting from April 13. KEPCO discovered that they sent erroneous emails to 49,884 customers after receiving a phone call from a user who opened unintended messages on April 18. The data included recipients’ names and addresses.

KEPCO explained that the error occurred during the emailing process, which was conducted by its affiliated company. “KEPCO KDN bears direct responsibility for the leakage as this incident happened from a mistake made by its employee,” wrote the electricity distributor in a statement which was submitted to the lawmaker. “We have duties such as management, supervision, and education over the KEPCO KDN. Therefore, we reached out to the victims for notification and reported the leakage to the Personal Information Protection Commission.”

In total, 110 cases of inquires related to the information leakage were reported to KEPCO. According to the company’s official website, an individual filed a report on the customer service page on April 20 and expressed both concerns and frustration regarding the company’s incident response. “Considering the graveness of the situation, it is disappointing to be informed through email and not through a phone call or messages,” wrote the client.

KEPCO wrote to the lawmaker that they sent clarifying emails explaining the error and sent text messages and posts to the victims. The company also posted a notification about the incident on their cyber branch website from April 24 to May 3. Under the country’s personal information protection act, organizations should inform victims about the incident for at least 7 days on the website if the data breach impacted more than one thousand individuals.

The lawmaker pointed out that the company should have posted the notification for a long enough time to fully inform those who suffered, as this incident involved almost 500,000 users. According to the document submitted by KEPCO, the official statement about the incident was accessed 965 times during the 10-day period. “KEPCO should act fast to figure out whether there are collateral damages,” added Kim.

The cover image of this article was designed by Areum Hwang.

Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and privacy by engaging with industry giants, foreign government officials and experts. Before joining The Readable, Kuksung reported on politics for one of South Korea’s top-five local newspapers, The Kyeongin Ilbo. Her journalistic skills and reportage earned her the coveted Journalists Association of Korea award in 2021 for her essay detailing exclusive stories about the misconduct of a former government official. She holds a Bachelor’s degree in French from Hankuk University of Foreign Studies, a testament to her linguistic capabilities.