Seoul Facilities Management Corporation is under investigation for allegedly withholding information about a data breach involving users of the public bike-sharing service 'Ddareungi'.
It is suspected that the corporation knew about the data breach, which occurred in July 2024, but did not disclose it for about 1 year and 6 months. The breach was reportedly caused by a DDoS attack, potentially exposing the personal information of up to 4.55 million users.
The leaked information may include IDs, phone numbers, and optional details such as email, date of birth, gender, and weight. The corporation claims that names and addresses were not part of the leaked data.
If it is found that the corporation intentionally withheld information about the breach, they could face legal consequences under criminal laws and the Personal Information Protection Act. The breach should have been reported to relevant authorities within 72 hours, according to the Act.
The Personal Information Protection Commission plans to impose severe administrative penalties, including heavy fines, if the corporation is found guilty of concealing the breach. They emphasized conducting a thorough investigation and holding those responsible legally accountable.