TVING, a domestic over-the-top media service (OTT) that is pushing ahead with a merger with Wavve, has been hit by a major setback after a large-scale personal information leak. The breach is believed to involve about 13 million users, and concern is growing after it was confirmed that Connecting Information (CI), often described as an online resident registration number, was also included. Criticism is also mounting over TVING's response, as controversy continues over when the company became aware of the incident, when it reported it, and how it notified users.
According to industry sources on the 15th, TVING confirmed that personal information was leaked after unauthorized access occurred on the 2nd in a Database (DB) storing user data. The company reported the incident to the Korea Internet & Security Agency (KISA) the following day and notified users of the leak. As authorities investigate the exact cause and scale of the breach, users are also beginning to move toward class action lawsuits.
In response to the incident, Jihyang Law Firm recently filed a damages suit at the Seoul Central District Court on behalf of 1,051 users affected by the TVING data breach. The plaintiffs are seeking 300,000 won in compensation per person. Another law firm, Sedam Law Firm, is also said to have received notices of intent to join the lawsuit from tens of thousands of users. With the number of victims reaching 13 million, the scale of litigation could grow even larger.
The fallout is seen as especially serious because the breach went beyond ordinary personal data and included CI and Duplicate Registration Verification Information (DI). CI is a unique identifier generated from resident registration numbers and other data, and it is used to identify the same person across multiple online services. Because it is so sensitive, and because it is difficult to change once exposed, experts warn that it could be misused for a long time.
According to TVING's recently launched service for checking leaked personal data items, the breach included not only names, dates of birth, mobile phone numbers, and email addresses, but also CI, DI, and payment-related information. Legal action is spreading more quickly now that CI has also been confirmed as part of the leak.
The controversy does not end there. Users were only able to check the specific items leaked from their accounts long after the incident had already been announced. Many users say their anxiety deepened after learning the full extent of the damage only belatedly.
In politics, lawmakers have raised questions about TVING's response, saying the company failed to detect the hacker's unauthorized access for about 21 hours and filed its report with KISA just one minute before the legal deadline. The Democratic Party of Korea said in a recent briefing that "the 13 million-user data leak included CI, which is known as a digital resident registration number," and called for a thorough investigation and severe sanctions.
TVING rejected suggestions that it tried to downplay the incident. A company official told Sportschosun in a phone interview that "there is absolutely no reason to minimize or hide the incident" and that the company is "working closely with the authorities while focusing on resolving the situation and protecting users."
On criticism that the disclosure of leaked items came too late, the company said it needed time to determine the exact scope of the damage. TVING explained that it was difficult to issue a blanket notice before confirming what information had been exposed, and that it had been conducting an investigation and consulting with the relevant authorities to identify the items leaked for each user.
TVING is now reviewing additional protective measures and compensation plans. The company said it is discussing user relief measures internally and will provide details once the investigation results are finalized. It added that it is continuing system checks and follow-up measures while cooperating with the authorities.
Industry observers say TVING's legal and financial burden is likely to grow depending on the results of the Personal Information Protection Commission (PIPC) investigation and the progress of the class action lawsuits. The PIPC recently imposed a record fine of about 624.7 billion won on Coupang after 33.7 million users' personal information was leaked. In TVING's case, the fact that CI, effectively an online resident registration number, is also believed to have been included in the leak means the outcome of the investigation and the level of sanctions will be closely watched.
Some observers say that if penalties and litigation costs continue to rise, they could also become a burden on TVING's merger push with Wavve.
Questions are also being raised in political circles about TVING's response to the incident and its overall personal data management system. Lee Joo-hee, floor spokesperson for the Democratic Party of Korea, said in a recent briefing that "the problem is the complacency of companies that treat security as nothing more than a cost, along with weak penalties," adding that "the strictest possible fines and sanctions under the current Personal Information Protection Act are necessary."
Moon Ji-yeon
