As personal data leaks continue to hit the retail and platform sectors, consumer anxiety is growing. Industry insiders say the issue is not just more hacking incidents, but that retailers hold large volumes of data attractive to hackers while the real burdens corporations bear after incidents are relatively limited, a structure that underpins repeat breaches.
According to related industries on the 10th, on the 5th BGF Networks, which operates CU convenience store parcel delivery, announced on the CUPOST website that it had confirmed signs that a hacker accessed the system without authorization and leaked personal information. According to BGF Networks, the leaked personal information includes name, mobile phone number, email, address, gender, ID, and password. The exact scale of the leak is under investigation. The Korean National Police Agency National Office of Investigation (NOI) Cyber Terror Response Division also launched a pre-case investigation. It plans to verify the leakage process and the scope of damage and carry out procedures necessary to identify and track the suspect.
On the 3rd, signs of a personal data leak due to hacking were also confirmed at Tving, the online video service (OTT) platform of CJ ENM. Earlier, in Nov. last year, a massive personal information exposure incident of about 33.7 million customer account records occurred at Coupang, causing a major social stir. The Personal Information Protection Commission will hold a full meeting on the 10th to review sanctions for the Coupang personal information leak.
While ordinary consumers consider card numbers or account information leaks more dangerous, data held by retail corporations that combine names, phone numbers, addresses, dates of birth, purchase histories, and delivery information can also cause major damage if leaked. Lim Jong-in, emeritus professor at Korea University's Graduate School of Information Security, said, "Information held by retail platforms has value when traded on the dark web," noting, "Ultimately, it becomes a target because it can be turned into money."
Retailers hold not only simple contact information but also data on consumers' living patterns. E-commerce companies accumulate purchase histories and payment patterns, parcel platforms gather delivery destinations and address information, and OTT platforms collect viewing histories and content consumption preferences. In effect, they can identify which brands someone prefers, which region they live in, and when and what they buy.
Choi Kyung-jin, a law professor at Gachon University, cited "recency" as the reason retail data is a prime target for hackers. Choi said, "Some personal information theft is used for financial fraud or phishing crimes, but it also has significant value in the advertising and marketing market," adding, "Retail data is continuously updated by users with their most recent information for delivery and payment, so its accuracy is high and its value is high." Choi added, "Phone numbers and addresses are often accurately linked to actual user information, giving it higher utility than data in other fields," and "The more accurate the information, the higher the price it commands on the illegal black market."
CI (connection information) and DI (duplicate subscription verification information), which were reportedly leaked in the recent Tving and CU parcel incidents, are also classified as sensitive by the security industry. CI and DI are used to identify the same individual across multiple platforms and, when combined with other personal information, can be exploited for targeted phishing or identity theft crimes.
Some say that, relative to the scale of data the retail sector holds, security investment has been a lower priority. In finance, strong regulations and oversight make security investment essential, but retailers have focused on expanding services and improving customer convenience. Professor Choi said, "In the early stages of a business, many judge that the tangible impact of investing in personal information protection is limited, so more resources go into service development or customer convenience," adding, "To make personal information protection the default of business, changes in executive awareness and policy support are needed."
The retail sector, however, says it is increasing security investment. A retail industry official said, "With recent personal data leaks occurring one after another, investment in and reinforcement of security management have become common tasks across the industry," adding, "Large companies already operate security systems at considerable expense. Because customer information leaks can lead to secondary and tertiary damage such as brand trust erosion, penalty surcharge, and customer churn, we are continually investing in stronger security."
◇ PIPC: "Penalty surcharge will continue to rise... stronger field-by-field inspections"
Still, one reason cited for the continued repetition of incidents is that the real damage felt by corporations is limited. When a personal information leak occurs, stock prices fall and consumer criticism and boycotts follow, but many corporations see user numbers and sales recover over time. For example, after last year's massive personal data leak, Coupang's monthly active users (MAU) temporarily declined, but returned to pre-incident levels within a few months. Many users who had canceled Wow membership were also said to have rejoined. Bom Kim, chair of U.S.-based Coupang Inc., Coupang's parent, said on May 6 during a first-quarter earnings conference call, "Growth in Product Commerce revenue hit a low in January and has improved year over year every month since." Kim added that most existing customers did not leave after the data leak and about 80% of former Wow members rejoined.
The Personal Information Protection Commission says it is continually raising penalty surcharges to strengthen sanctions. A Personal Information Protection Commission official said, "We currently operate a penalty surcharge system based on revenue, and the cap will rise from the current 3% to up to 10%," adding, "We are also working to shift the personal information protection framework from after-the-fact response to prevention. We will conduct more granular field-by-field inspections and preventive activities."
Some also argue that a penalty surcharge-centered approach has limits. Professor Lim Jong-in said, "When even national intelligence agencies and global telecoms cannot avoid hacking, there are limits to a method that criticizes corporations solely for the occurrence of data leaks and only strengthens penalty surcharges," adding, "What matters is analyzing the causes of incidents to help other corporations avoid the same damage and strengthen prevention capabilities." Lim added, "Hacking is no longer a problem for a specific sector but a risk facing every industry," and "Along with sanctions and punishments, support policies that encourage corporate security investment and information sharing need to be discussed together."