A hacking incident involving BGF Networks has led to a personal data leak. BGF Networks operates the CU convenience store delivery service and is an affiliate of BGF Retail Co., Ltd., the operator of CU convenience stores. Since its founding in 2009, the company has grown based on BGF Group's retail and logistics network centered on the CU brand. It was once a subsidiary of BGF, but BGF Retail Co., Ltd. acquired all of its shares in 2024. Some in the industry are now questioning whether security and data management were neglected amid competition in the convenience store delivery market. The leak is being linked to vulnerabilities in the company's own systems. Concerns are also growing over possible direct and indirect secondary damage. That is because convenience store delivery services have become a daily-life platform, and many consumers use similar IDs and passwords across services.
According to the convenience store and security industries on the 10th, BGF Networks said on its website on the 5th that an unidentified hacker had breached its internal systems and leaked customer personal data. The exposed information included names, mobile phone numbers, email addresses, addresses, gender, IDs, passwords (encrypted), and Connecting Information (CI). BGF Networks said, "We deeply regret our failure to safely protect our customers' valuable information," and added, "We took internal and external measures immediately after the incident."
After recognizing the hacking incident at 3:30 p.m. on the 4th, BGF Networks blocked the attacking IP address, completed security measures, and activated its incident response team to strengthen monitoring. It also reported the breach to relevant authorities, including the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA). The Cyber Terror Response Division of the National Office of Investigation said on the 8th that it had been conducting a preliminary inquiry since the 6th into the personal data leak involving the CU convenience store delivery service. The move is aimed at establishing the overall facts of the case and quickly identifying and arresting the suspect. The police also plan to carry out procedures needed to confirm how the data was leaked, assess the scale of the damage, and identify and track those involved.
Inside and outside the industry, there are growing concerns that the leak could lead to secondary damage. That is because CI was included among the leaked items. CI is a linking identifier used for online identity verification and to identify the same person across multiple services. Some users of everyday services such as convenience store delivery use the same ID and password across several online platforms, raising concerns that the leaked information could be combined and abused for credential stuffing attacks against other platforms. There are also concerns that the stolen personal data could be used for Smishing or Phishing crimes.
In that context, BGF Networks urged customers immediately after learning of the breach to change their passwords if they use the same password on other sites, saying that passwords are encrypted and therefore secure. It also warned customers to be cautious about answering calls from unknown numbers or clicking URL links in text messages.
BGF Networks said it has not confirmed any financial damage so far. However, as the police investigation continues, the company said it will closely monitor the situation and prepare response measures. BGF Networks said, "We sincerely and deeply apologize for the personal data leak," adding, "We are actively cooperating with the ongoing police investigation."
By Se Hyung Kim, fax123@sportschosun.com
