breaches

Settlement comes after US Federal Trade Commission accused the entertainment giant of unlawfully collecting children’s data.

Disney has agreed to pay $10m to settle allegations that it breached child privacy laws in the United States, authorities have said.

A federal court approved the settlement to resolve allegations brought by the US Federal Trade Commission, the Department of Justice said on Tuesday.

The order also requires Disney to operate its YouTube channel in accordance with data-protection rules and establish a programme to ensure future compliance.

Disney had agreed to settle the claims brought by the US antitrust watchdog in September.

The civil case stems from allegations that Disney collected children’s personal data without parental consent via its videos on YouTube.

Antitrust officials alleged that Disney had wrongly designated more than 300 YouTube videos, including content from The Incredibles, Toy Story, Frozen, and Mickey Mouse, as not being aimed at children.

YouTube requires content creators to designate videos as “Made for Kids” or “Not Made for Kids” to comply with the Children’s Online Privacy Protection Rule.

Under the rule, companies in the US are prohibited from collecting data from children below 13 without parental notification.

Other major companies that have paid settlements under the rule, which has been amended several times since its enactment in 2000, include Google and Microsoft.

Disney did not immediately respond to a request for comment.

“The Justice Department is firmly devoted to ensuring parents have a say in how their children’s information is collected and used,” Assistant Attorney General Brett A Shumate said in a statement.

“The Department will take swift action to root out any unlawful infringement on parents’ rights to protect their children’s privacy.”

Disney, which has its headquarters in Burbank, California, is one of the world’s largest entertainment companies, with revenue for the fiscal year 2025 reaching $94.4bn.

SEOUL, Dec. 26 (UPI) — Shinhan Card, one of the country’s top credit card issuers, reported a massive data leak Tuesday.

The Seoul-based company said more than 190,000 cases of potential data exposure have been identified that involve merchant partners’ personal and business information.

The incident seems to stem from employee actions rather than an external cyberattack. Against this backdrop, Shinhan Card CEO Park Chang-hun issued a formal apology.

“We would like to express our deepest apologies,” he said. “Upon discovering the incident, we immediately took measures to block any further leaks and completed a thorough review of our internal processes.”

“To ensure the protection of personal information in the future, we will conduct a full investigation into the cause and circumstances of the leak and strictly discipline the employees involved,” he said.

Despite the steps, criticism intensified as a series of security failures have taken place throughout this year.

In late November, the country’s leading online retailer, Coupang, acknowledged that the names, email addresses, phone numbers and delivery addresses of 33.7 million customers had been leaked.

The New York Stock Exchange-listed corporation could face fines amounting to a maximum of 3% of its related revenue, which is levied by the state-run Personal Information Protection Commission.

Since Coupang logged sales of some $28 billion in 2024, potential fines could surpass $800 million.

Earlier this year, SK Telecom admitted that a cyberattack had breached its network, exposing sensitive data and compromising critical information of about 23 million subscribers.

As a result, the top mobile operator was fined $92 million and ordered to suspend adding new customers for nearly two months, in accordance with government guidelines.

Criticizing companies that failed to protect customer information, Prime Minister Kim Min-seok vowed to more than triple the fines for similar violations.

“Urgent legislative tasks, such as the introduction of punitive administrative fines, will be swiftly advanced so that they can be passed as soon as possible,” Kim said at a government meeting Wednesday.

“For repeated and serious violations, we will introduce punitive fines of up to 10% of a company’s total revenue and strengthen the obligation to notify individuals of personal data breaches,” he said.

When corporate data leaks are reported, the South Korean government is quick to lash out at companies. However, critics argue that the government and state-operated organizations have failed to adequately protect their own data.

In 2021, the Atomic Energy Research Institute, the state-run outfit responsible for nuclear power research, was breached by a suspected North Korean state-backed group through a virtual private network server.

Last year, police found that North Korean hackers had stolen data from the National Court Administration during June 2021 and January 2023. The compromised data exceeded 1 terabyte, equivalent to more than 1.5 billion pages of documents, including personal information.

Despite these threats, the government is reluctant to spend more money to mitigate cybersecurity risks.

For example, the Seoul administration cut the 2026 budget for the operation and maintenance of integrated security control centers run by local governments by almost 30% compared with this year.

It also reduced the 2026 budget for reinforcing security and protection facilities at government complexes by more than 40%.

This contrasts with the 8.1% year-on-year increase in the national budget for 2026.

“When hacking incidents occur, harsh penalties are imposed on private enterprises. For government agencies, however, it seemingly ends up with only a slap on the wrist. Such asymmetric punishments are not difficult to understand,” economic commentator Kim Kyeong-joon, formerly vice chairman at Deloitte Consulting Korea, told UPI.

“Moreover, the government is required to strengthen the country’s cybersecurity infrastructure. And leaks of public data or documents are even more dangerous when they are related to national defense. I wonder whether our government is doing enough in these areas,” he said.

Park Tae-hwan, head of the AhnLab CyberSecurity Center, called for stronger efforts to counter online threats and data breaches. AhnLab is the country’s leading cybersecurity vendor.

“Following a series of cyber intrusion incidents of late, regulations centered on bigger fines and punitive measures have come to the forefront, raising the burden on companies,” Park told UPI.

“To enable a meaningful shift in perception, a parallel policy approach is needed, like one that provides incentives to companies with strong security practices, thus encouraging greater voluntary investment in cybersecurity by the private sector,” he said.