Startup Program Data Leak Caused by Participating AI Firm Exploiting API Vulnerability

A significant data breach has affected the 'Modu-ui Chang-eop' (Startup for All) program, with personal information of 5,000 participants leaked. The Ministry of SMEs and Startups confirmed that the breach was caused by a hack originating from an AI solution company involved in the project. This firm allegedly exploited an unsecured API to gain unauthorized access to non-public email addresses.

“

The project's participating solution company secured information through abnormal API calls.

According to the report from lawmaker Kang Seung-kyu's office, the AI solution provider obtained private email addresses through abnormal API calls. These emails were not intended for public display but were accessible through specific API calls and AI-based automated collection methods, including web crawling. While the service interface blocked direct access, vulnerabilities in certain server APIs, such as those for challenger profiles and review feedback, were exploited.

The Korea Institute of Startup & Entrepreneurship Development (KISED) has notified all 5,000 affected individuals via text message and reported the incident to higher authorities. The compromised API was immediately blocked on June 15th at 4 PM, and measures to prevent AI-based automated collection and web crawling are being implemented. To mitigate further damage, a function allowing participants to check if their personal information was leaked will be added to the program's website, and a dedicated contact point for reporting additional damages is being established.

“

We plan to establish a function on the website to check for personal information leaks.

The Ministry of SMEs and Startups acknowledged the severity of the incident, stating that all necessary measures are being taken to prevent further spread of damage, address the situation, and prevent recurrence. The ministry plans to operate a thorough inspection system with relevant agencies to ensure the stable operation of the 'Modu-ui Chang-eop' project moving forward. The leaked data included personal email addresses, idea summaries, and self-introductions that participants had opted to keep private.

“

We are taking this personal information leak incident very seriously and are pursuing all necessary measures to prevent damage spread, resolve the incident, and prevent recurrence.