Tving logo.

[Digital Today, by Jin-ho Lee] The fallout from a personal data leak at Tving is spreading to telecom carriers and platforms. Customers who received Tving passes as compensation for a carrier hacking incident have again suffered a data leak. Members who used Tving through platform simple logins were also confirmed to be among those exposed, prompting calls for fundamental countermeasures.

Data obtained on July 16 by the office of Democratic Party lawmaker Jeong-heon Lee (이정헌) from the Personal Information Protection Commission and the Ministry of Science and ICT show the scale of the Tving data leak confirmed so far stands at 19,530,000 people, close to 20,000,000.

◆ Fallout reaches carriers… also affects simple-login users

The fallout is growing because the issue is not limited to users who signed up directly to Tving. Earlier this year, KT provided Tving passes as part of one of its customer reward programmes related to a hacking incident. The lawmaker's office said about 586,000 customers chose the Tving pass among multiple benefits. Of those, about 416,000 who actually registered the Tving pass were included among the targets of this data leak. Members who logged into Tving using accounts from other platforms such as Naver and Kakao were also found to be among those exposed.

Simple login is a feature that lets users sign up for or access external services using existing platform accounts without creating separate IDs and passwords. In this process, some information such as a user's name, email, contact details and identifying information, to which the user agreed, may be transmitted to the external service provider.

The problem is that it is difficult for users to accurately recognise what information they provided to which company. Users who did not create a dedicated Tving account may not consider themselves victims of the Tving data leak. An official in the security industry said, "Simple login, which was made for convenience, has effectively become a channel for personal data leaks," adding, "Fundamental measures and steps to prevent recurrence are needed."

The incident is prompting calls to review personal data management systems tied to corporate partnerships and simple logins. From a user's perspective it is a single service, but in practice personal data is linked across telecom carriers, platforms and content providers.

◆ Tving follow-up steps still pending… counting standards also an issue

The industry is closely watching the results of a joint public-private investigation team. The Ministry of Science and ICT last month deemed the Tving case a serious incident and formed the team. The team is reported to be investigating Tving’s breach route and security measures, as well as the scale of damage by signup route and information transmitted through partner services.

Depending on the findings, the scope and method of user compensation by Tving are also expected to be decided. After issuing an apology statement in the name of CEO Joo-hee Choi (최주희) on July 3 last month, Tving has not announced a separate compensation plan or follow-up steps. Attention is also on whether members who used Tving through partner programmes or simple logins, as in the KT case, will receive the same compensation and protective measures as direct subscribers.

A Tving official said, "We can disclose a compensation plan and future plan after accurate investigation results are released," adding, "We are sincerely cooperating with the government and related agencies' investigations."

The reasons the affected scale of 19,530,000 people far exceeds Tving’s paid subscribers and monthly active users also needs to be determined. That is because the tally may include cases where one person created accounts through multiple signup routes, accounts that have not used the service for a long time, or accounts created through partner services.

An industry official said, "As interconnection between services expands, a security incident at one company can affect customers of entirely different companies," adding, "Beyond assigning responsibility, a response system is needed to inspect the entire process of partnerships and interconnection."

Keyword

#Tving #KT #Personal Information Protection Commission #Ministry of Science and ICT #Naver
Copyright © DigitalToday. All rights reserved. Unauthorized reproduction and redistribution are prohibited.