Ministry of SMEs and Startups Accused of Downplaying Responsibility by Calling Data Leak "Exposure"

Critics are pointing out that the Ministry of SMEs and Startups may be attempting to downplay its responsibility by referring to the personal information leak on its "Modu's Startup" (Everyone's Startup) platform as a mere "exposure."

This is seen as contradicting the government's recent trend of strengthening security regulations, such as successively imposing massive fines on companies hit by data leaks and introducing punitive surcharges.

According to an analysis of the ministry's briefing on June 22 posted on the government's e-briefing system, Noh Yong-seok, the First Vice Minister of SMEs and Startups, stated, "Some information was exposed," "Personal information or detailed application forms were not exposed," and "Three types of information—email addresses, idea summaries, and evaluation comments—were exposed in encrypted form."

During the subsequent Q&A session, he also replied, "There was a report that one-line ideas and non-public information of about 8,000 team members were exposed," and "What appeared to have been exposed a month ago were one-line ideas and startup team member information."

In relation to this incident where various pieces of information of the selected project participants were leaked, he repeatedly used the term "exposure" five times.

Although there were parts of the briefing where he used the word "leak," such as "We apologize for the inconvenience caused by this platform leak," "I will share the confirmed details regarding the leak of successful applicants' information," and "We will explain the targets and scope of the leak as soon as the investigation results are out," he ultimately chose the word "exposure" when explaining the specific items and facts of the leak.

In contrast, the notification text messages sent on June 18 and the data breach report submitted to the Personal Information Protection Commission (PIPC) detailed the leaked items, timing, and circumstances of the leak, but did not use the word "exposure."

Under the Personal Information Protection Act, the obligations and response measures of personal information processors regarding the loss, theft, or leak of personal information are stipulated, along with the imposition of fines and liability for damages.

However, regarding "exposure," the law only states that in the case of personal information exposed to the outside, the information must be deleted or blocked upon the request of a specialized agency.

This is why suspicions are being raised that the use of the term "exposure" in this case is an attempt to evade responsibility for the incident.

Critics also point out that such a move runs counter to the government's trend of tightening personal information regulations.

Previously, in late last year, the PIPC ordered Coupang, which had leaked personal information, to correct its notification of personal information "exposure" to a "leak" notification and to re-notify users by fully reflecting all leaked items.

This was based on the judgment that despite already confirming the leak, Coupang caused public confusion by notifying data subjects of an "exposure" and omitting some of the leaked items.

In May last year, the commission also rebuked SK Telecom, which had its personal information stolen, for notifying data subjects of a "possibility of a leak" rather than an actual leak.

Coupang and SK Telecom were fined 624.7 billion won and 134.7 billion won, respectively.

Kwon Hun-young, a professor at Korea University's Graduate School of Information Security, analyzed, "The concept of a 'leak' is established only when it is confirmed that the exposed information has been passed to a third party or unauthorized person (illegally)." He added, "In effect, the agency is claiming that hacking has not been proven."

He pointed out, "Normally, 'exposure' carries less responsibility than a 'leak.'" He added, "Furthermore, if they maintain this stance, the regulatory authority, rather than the ministry itself, would have to prove that a leak actually occurred."

(Photo: Yonhap News)
※ Please note: This article was translated by AI and may contain errors.