A personal data leak has occurred at South Korean online video service (OTT) platform Tving, and concerns over secondary harm are spreading after linked information (CI) was also included among the leaked items.

On June 4, Tving and related industry sources said an unidentified hacker recently gained unauthorised access to Tving’s user personal information database and sent a customer information file outside the company. Leaked items include member IDs, dates of birth, gender, mobile phone numbers, email addresses, refund account numbers, passwords, linked information (CI) and duplicate sign-up check information (DI). After recognising the incident on June 1, Tving reported it to the government and took steps including blocking access from the attacker’s IP, changing cloud access control policies and strengthening database access monitoring.

CI leak dubbed 'digital resident number' raises identity theft worries

Concerns are being raised that swift countermeasures are needed because high-risk information, CI, was taken. CI is a unique value used to identify the same person during online identity verification. It is information designed to verify whether a user is the same person across multiple services without directly using a resident registration number, and is also called a "digital resident number".

The problem is that CI is difficult for users to change at will, unlike a password. The security industry assesses that the incident could go beyond a simple leak of account information and lead to a long-term risk of personal data infringement. CI alone does not immediately lead to damage such as service fee payments or opening financial accounts, but when combined with other personal information it can be abused by attackers to identify and track specific individuals.

Hwang Seok-jin (황석진), a professor at Dongguk University’s Graduate School of International Information Protection, said CI is a unique identification value generated by identity verification agencies based on real-name information and is used to confirm whether a person is the same individual on other sites or services. He said it is highly sensitive information because it can lead to identity theft when combined with a name, mobile phone number and email address.

Hwang added that attackers could combine additional information to develop voice phishing or smishing beyond the level of general spam into methods targeting specific individuals. He said a close inspection is needed of the circumstances of the incident and the scale of damage.

Government also judges it a 'serious incident' as science ministry, privacy watchdog and broadcasting regulator begin response

The Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) demanded preservation of related data and began investigating the cause of the incident and the scale of damage immediately after Tving reported the breach on June 1. On June 3, they urgently convened an investigation deliberation committee and judged the case to be a serious incident, forming a joint public-private investigation team.

The joint team includes the ministry and KISA as well as private-sector experts in forensics and cloud services. The team will examine the hacker’s intrusion route, the scale of personal information leakage, and the adequacy of Tving’s technical and administrative protective measures. A key issue is expected to be how high-risk information including CI was stored and managed, and whether encryption and access control were properly implemented.

The Personal Information Protection Commission has also moved. After receiving a leak report from Tving at 2 a.m. on June 3, it began an investigation on June 4. Through requests for data submissions and on-site inspections, it will investigate the specific circumstances of the leak, the scale of damage, and whether the company complied with the Personal Information Protection Act, including obligations for security measures and leak notifications and reporting. The commission emphasised that it plans to impose strict measures in accordance with relevant laws if violations are found.

The Broadcasting Media Communications Commission has also stepped in. It began an emergency fact-finding inspection of Tving on June 4. A CI leak was also an issue in a previous Lotte Card hacking incident. In April, the commission decided that Lotte Card had violated its duty to take safety measures for linked information and approved an administrative fine of 11.25 million won and a recommendation for improvement. The CI leaked in the Lotte Card hack involved about 1.29 million people. Given that Tving’s subscriber base is estimated at about 5 million, the possibility cannot be ruled out that more CI than in the Lotte Card case was leaked. Tving is currently determining the exact scale of the leak.

"After-the-fact measures have limits; management awareness must change"

The security industry advises that repeated hacking incidents should not be handled with after-the-fact measures. It says there are limits to preventing the spread of damage by relying only on a process of investigation, sanctions and measures to prevent recurrence after an incident occurs. It also says platform services such as OTT hold a wide range of personal data and must keep encryption, access controls and abnormal sign detection systems operating at all times.

Park Choon-sik (박춘식), a former professor in Ajou University’s Department of Cyber Security, said security awareness among corporate managers must rise above all. He said the government should also actively pursue policies that support companies’ pre-emptive efforts to strengthen security, not only regulation.

Tving, meanwhile, promised thorough follow-up measures through an apology issued in the name of Chief Executive Choi Joo-hee (최주희). Choi said responsibility lies entirely with Tving for failing to protect the information users entrusted to it. She said the company would transparently inform users of progress and follow-up actions, and would take responsibility through to the end for damage relief and user protection.