McDonald’s Korea was given a fine of US$532,110 on Wednesday after the personal data of 4.87 million customers was leaked to hackers due to the firm’s lax data management.

The Personal Information Protection Commission handed out the fine to the Korean branch of the American fast food chain, along with a financial penalty of about 10 million won for the data breach.

According to the commission’s findings, McDonald’s Korea did not perform sufficient access control, leaving a backup file containing the personal data of its restaurant and McDelivery customers accessible via protocols for file sharing.

As a result, the personal data of more than 4.87 million customers was hacked and leaked.

McDonald’s Korea was also found to have not destroyed the personal data of 766,846 customers for whom the data retention period had expired, and belatedly notified authorities and customers of the data leakage.

This story was originally published by Yonhap, via Korea Bizwire.