"Tens of Millions Affected at Once"... Corporate Personal Data Becomes a 'Gift Set' for Hackers

Coupang with 37.56 million, SK Telecom with 23.24 million, and TVING with 19.53 million.

Recent personal data breach incidents are trending toward massive-scale accidents where tens of millions of people are affected in a single event.

In the information age, as companies provide various services such as shopping, content, and telecommunications, the volume and types of personal data accumulated by a single company have increased significantly.

Consequently, concerns over secondary damages such as identity theft and phishing are growing, leading to calls for companies to increase investment in information security and strengthen their management systems.

According to the security industry on June 28, the most recent large-scale personal data breach occurred at the over-the-top (OTT) media service TVING.

According to data submitted by the Personal Information Protection Commission and the Ministry of Science and ICT to Representative Lee Jung-heon of the Democratic Party of Korea, the scale of the personal data leak at TVING has been confirmed to be 19.53 million people so far.

This figure is more than 6.5 million higher than the government's initial estimate of 13 million, and it far exceeds both TVING's number of paid subscribers (approximately 5 million) and its monthly active users (MAU, 8.82 million as of May).

The leaked information includes IDs, names, dates of birth, passwords, refund account numbers, Connecting Information (CI), and Duplicate Subscription Verification Information (DI).

In particular, ultra-large-scale personal data breaches have been concentrated within the last two years.

Looking at the top five cases by scale of leakage based on sanctions by the Personal Information Protection Commission, the top three—Coupang (37.56 million), SK Telecom (23.24 million), and Incruit (7.28 million)—all had their breaches confirmed within the last two years.

The security industry attributes the increasing scale of leaks to the spread of ransomware and the rise in attacks targeting large personal information trustees.

In fact, according to the Personal Information Protection Commission and the Korea Internet & Security Agency (KISA), 276 out of 447 personal data breach reports filed last year (61.7%) were caused by hacking.

Yeom Heung-yeol, a professor of information security at Soonchunhyang University, diagnosed the situation, saying, "As personal data has gained monetary value in illegal trading markets, the motivation for attacks has increased, and attackers are becoming organized by sharing roles and utilizing various tools. With most services shifting to digital, the attack surface has also expanded significantly."

Hwang Seok-jin, a professor at the Graduate School of International Information Security at Dongguk University, pointed out, "Many companies hold a variety of personal data, so when information stolen from multiple places is combined, its utility value becomes much higher. For hackers, it is like a comprehensive gift set."

He added, "In the past, hackers had to find vulnerabilities to attack themselves, but now artificial intelligence (AI) finds them all. If the basics of information security, such as data encryption and access control, are not strictly followed, personal data breach accidents are bound to continue."

There are also calls to strengthen a prevention-centered personal data protection system.

Choi Kyung-jin, a professor of law at Gachon University, said, "The government should promote policies that strengthen preventive measures so that 'personal data protection as a fundamental principle' can be practiced in the field. Companies must also establish governance and internal management systems that make personal data protection a basic principle and ensure it is consistently practiced."
※ Please note: This article was translated by AI and may contain errors.