Only service disruption was reported after June 2024 DDoS attack
No leak report filed even after receiving KT Cloud's analysis
City refers those involved to investigative authorities and considers audit
The Seoul Metropolitan Government has notified investigative authorities about those responsible for omitting a report on signs of a personal data breach involving Ttareungi, the city’s public bicycle service. The cyberattack occurred in June 2024, meaning that, despite recognizing the leak, no action was taken for nearly two years. Critics say that not only the Seoul Facilities Corporation, which manages Ttareungi, but also the city government itself needs to inspect its information management systems.
A Ttareungi storage facility has been installed near City Hall Station on Sejong-daero in Jung-gu, Seoul. Reporter Kang Jinhyeong
On February 6, the Seoul Metropolitan Government stated that, during a recent internal investigation, it found that the Seoul Facilities Corporation had confirmed a personal data breach at the time of the June 2024 cyberattack on the Ttareungi app but failed to take any separate measures, resulting in a lack of initial response.
Accordingly, the city has decided to identify the officials in charge at the time and refer the relevant individuals to investigative authorities. It will also notify the police of the corporation’s inadequate initial response.
The sequence of events is as follows. Between June 28 and June 30, 2024, a cyberattack presumed to be a Distributed Denial-of-Service (DDoS) attack caused pages related to Ttareungi to go down for about 80 minutes. In response, the Seoul Facilities Corporation reported only a service disruption to the Digital Safety Control Center under the Ministry of the Interior and Safety, but did not file any report on a personal data breach.
During a briefing the same day, Transportation Operations Officer Han Jeonghun said, “The server in question was operated by KT Cloud, and KT Cloud submitted an analysis report on the situation at the time to the Facilities Corporation on July 18 that year. The report included the statement that a personal data leak had been confirmed.”
He added, “The corporation did not report this fact to the Seoul Metropolitan Government and condoned it, and as a result, no measures were taken in relation to the personal data breach.” The city is considering an audit of those at the corporation who failed to report the incident.
The police are currently questioning a hacking suspect who allegedly extracted personal data through the DDoS attack. While investigating another case, the police discovered that leaked Ttareungi member data existed and thereby became aware of this incident. “While questioning the suspect in another case, the police found Ttareungi-related information on this person’s computer and contacted the Seoul Metropolitan Government to verify the facts,” Han said.
Han also stated that, in the roughly 18 months since the time of the initial personal data breach, no additional leaks or cyber intrusions have been identified.
The city plans to cooperate fully with the investigation, including by forwarding KT Cloud’s report to the Personal Information Protection Commission and the Korea Internet & Security Agency. Based on the results of the police investigation and the commission’s inquiry, the city intends to strengthen its management and oversight framework to prevent a recurrence.
Previously, on January 30, the city disclosed indications that Ttareungi member information had been leaked. It has determined that the personal data of more than 4.5 million users, accounting for 90% of Ttareungi’s 5 million subscribers, was compromised.
The mandatory data collected by the Ttareungi application (app) are user ID and mobile phone number, while the optional data are email address, date of birth, gender, and weight. Names and addresses are not among the items collected. The corporation explained, “Information that is not part of the collection items is not stored in the database, so it cannot be leaked.” However, personal details that members entered voluntarily may have been exposed. Given that sensitive information has been leaked, the possibility of secondary damage, such as identity theft or fraud, cannot be ruled out.
Despite the city’s response, as the data breach spread into the public sector, even the ruling party and the government moved to respond. The Democratic Party of Korea and the Personal Information Protection Commission have decided to amend the Personal Information Protection Act to strengthen statutory damage compensation liability for personal data breaches at companies and institutions, regardless of whether the organization was at fault. If an entity involved in a breach fails to cooperate with an investigation, a non-compliance penalty will also be imposed.
Under current law, when a personal data breach occurs, an affected individual does not need to prove the exact amount of damage; the court can determine the compensation amount within the statutory limit after comprehensively considering the circumstances of the breach and the scale of the damage. However, even in such cases, if the entity responsible for the breach proves that there was no “intent” or “negligence,” it is exempt from liability for the damage. The planned amendment will remove the “intent or negligence” requirement from the statutory damage provisions, thereby placing the overall burden of proof regarding personal data breaches on companies and other entities.
In particular, to review the personal data protection framework in the public sector, the Personal Information Protection Commission has launched a survey of 653 public institutions, examining their personal data protection systems and dedicated personnel. It has also released directions for institutional improvements to strengthen personal data protection in the public domain. Follow-up procedures are underway for an amendment to the Personal Information Protection Act that would clarify the ultimate responsibility of agency heads and gradually make certification under the Information Security and Personal Information Protection Management System (ISMS-P) mandatory.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
