As LG Uplus reported the leak of call information from its artificial intelligence (AI) calling app "Ixio" to the Personal Information Protection Commission, it appears the leak stemmed from a worker's mistake but was detected through a customer report. Ixio is an AI service that LG Uplus launched in Nov. last year. It offers real-time voice phishing detection, call recording and summaries, and recently surpassed 1 million subscribers.
LG Uplus said on the 6th that "during operational improvement work for the Ixio service, an error in cache (temporary storage) settings led to a phenomenon where some information of 36 customers—▲counterparty phone numbers ▲call times ▲call content summaries—was temporarily exposed to 101 other users," adding, "we completed a report to the Personal Information Protection Commission at around 9 a.m. on the 6th." The company said it confirmed that unique identifiers such as resident registration numbers and passport numbers, as well as financial information, were not included in the leaked data.
The company estimates the time window during which personal information could have been exposed as from 8 p.m. on Dec. 2 to 10:59 a.m. on Dec. 3. The form of call information leakage was that information of Ixio user B, whom Ixio user A did not know at all, appeared on A's phone. The information of 36 people was exposed to 101 users who newly installed or reinstalled Ixio, in groups of 1 to 6.
The call information leak came to light when a customer discovered content in Ixio that was not their own information and reported it to Voice of Customer (VOC). The customer reported the anomaly at around 10:20 a.m. on Dec. 3. After the report, the company immediately began identifying the cause and restoring the service, and said that within about 40 minutes no further exposure occurred and measures were taken to prevent the exposed call information from being retrieved. It then guided all affected customers by phone, and notified those hard to reach via text messages and other means.
LG Uplus emphasized that this was a simple mistake by a worker, that the number of customers whose call information was leaked will not increase beyond 36, and that the incident is different from hacking.
LG Uplus also said it complied with the rule requiring a report to the Personal Information Protection Commission within 72 hours of recognizing a personal information leak. Under the Personal Information Protection Act, personal information controllers such as corporations or institutions must report to the Personal Information Protection Commission within 72 hours if personal information concerning 1,000 or more data subjects is leaked, or if sensitive information or unique identification information is leaked. This incident did not meet the reporting threshold, it said, but the company reported voluntarily.
For compensation for customers whose call information was leaked, LG Uplus plans to discuss the matter in order after the Personal Information Protection Commission completes its investigation, taking into account fault, scope, and scale. A spokesperson for LG Uplus said, "We apologize for the inconvenience and concern caused to our customers," adding, "this matter is not related to hacking, and we will actively cooperate with subsequent investigations by relevant authorities."