[Alpha Biz= Kim Jisun] Customer data breaches have recently occurred at Korea Papa John’s, a pizza franchise, and Mustit, a luxury goods platform, adding to a string of high-profile incidents involving personal information leaks at major South Korean companies such as YES24.
On June 26, Korea Papa John’s issued an official statement on its website, stating that the security vulnerability had been "immediately blocked and fixed" and that the company is "closely cooperating with the Korea Internet & Security Agency (KISA) and other relevant government bodies to swiftly and accurately investigate the extent and cause of the data exposure."
According to the Personal Information Protection Commission (PIPC), due to negligent source code management, customer order information such as names and phone numbers had been publicly accessible online since January 2017. The company became aware of the issue only on June 25.
The PIPC announced that it will conduct a thorough investigation into the circumstances of the leak, the scale of the damage, and whether Korea Papa John’s complied with its legal obligations for technical and administrative safeguards. The commission will also closely examine whether the company stored customer data beyond the legally permitted retention period and will take appropriate legal action if any violations are confirmed.
On the same day, Mustit also disclosed a data breach through its official website. The company said it was notified by KISA on June 23 of potential personal data compromise. Upon internal review, Mustit confirmed two instances of unauthorized access attempts—once between May 6 and 14, and another on June 9.
The breach reportedly stemmed from an application programming interface (API) that allowed partial access to user information without proper authentication. The company stated that the vulnerability was promptly blocked and comprehensive security measures were taken upon discovery.
Personal information potentially exposed includes up to nine data fields: user ID, account number, registration date, full name, date of birth, gender, mobile phone number, email address, and home address. Mustit has recommended that affected users change their passwords and exercise caution against phishing calls, smishing, and other suspicious messages to prevent secondary damage.
AlphaBIZ Kim Jisun(stockmk2020@alphabiz.co.kr)
