Concerns over data breaches have resurfaced following incidents involving the online streaming service Tving and the convenience store CU.
According to industry sources, investigations are underway into Tving and BGF Networks, which operates CU, for large-scale personal information leaks. Attention is also focused on proposed amendments to the Personal Information Protection Act being pushed by the Personal Information Protection Commission (PIPC).
The PIPC recently received a report of a data breach from Tving and has initiated an investigation. The leaked information is believed to include user IDs, names, birth dates, genders, mobile phone numbers, email addresses, linked information (CI), duplicate membership verification information (DI), refund account numbers, and passwords. BGF Networks has also confirmed signs of customer information being leaked and is currently responding to the situation. The leaked data includes user IDs, passwords, names, birth dates, genders, addresses, emails, and mobile phone numbers.
The industry is particularly concerned about the CI leak. CI is a unique identifier generated by identity verification agencies, used to confirm the identity of individuals without directly storing their resident registration numbers. Past data breaches, including those involving Coupang and Lotte Card, have also included CI information. While individual incidents may have limited impact, the combination of multiple breaches can significantly increase risks.
Security experts warn that if the leaked information is interconnected, it could reconstruct individuals' consumption patterns, preferences, and personal information. For instance, if previously leaked shopping history data is linked with Tving's content usage information through the same CI, it could largely identify an individual's online activities. If this is combined with address or contact information, the risk of secondary crimes such as voice phishing or smishing could increase.
In light of these concerns, the PIPC has proposed amendments to the Personal Information Protection Act that would allow fines of up to 10% of a company's total revenue for repeated and serious data breaches. Previously, the maximum fine was capped at 3% of total revenue. This aims to impose punitive fines on companies that neglect data protection and encourage investment in security measures. The amendments are set to take effect on September 11, and the PIPC is currently in a public consultation period.
Some in the industry believe that the proposed amendments could lead to discrimination against domestic companies. Coupang is a prime example. The PIPC plans to determine the final penalty for Coupang's data breach during a plenary meeting on June 10.
Under the current law applicable at the time of the breach, the maximum fine could exceed 1 trillion won, capped at 3% of total revenue. However, the U.S. government has expressed concerns that imposing penalties on Coupang could disadvantage American companies, suggesting that the actual penalty may be lower. Legal experts estimate that the fine imposed on Coupang could range from 300 billion to 400 billion won.
As a result, there are fears that the proposed amendments to increase fines could lead to discrimination against domestic companies. Enforcement against global platform operators is challenging, while domestic firms may bear a heavier regulatory burden. The outcome of Coupang's penalties is expected to set a precedent for future data breach incidents.
Park Chun-sik, a former professor of cybersecurity at Ajou University, stated, "While it is necessary to strengthen responsibilities for data protection, if the perception arises that only domestic companies are bearing excessive burdens, it could lead to allegations of discrimination. A policy that encourages both stricter penalties and increased security investment by companies should be implemented concurrently."
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.