TVING data breach exposes 19.53 million users' personal information

South Korean online video service TVING has confirmed a significant data breach, with personal information of an estimated 19.53 million users compromised. The exposed data includes not only basic personal details but also sensitive information like CI (Connecting Information) and DI (Duplicate Information), raising concerns about potential secondary damages.

TVING reported the incident on June 1 and officially apologized on June 3, acknowledging unauthorized access to its user database by an unidentified hacker. The leaked information encompasses user IDs, names, birthdates, genders, CI, DI, phone numbers (last four digits encrypted), email addresses (partially encrypted), refund account numbers (encrypted), passwords (one-way encrypted), affiliate service usage details, cash balances, and payment history.

The Ministry of Science and ICT and the Personal Information Protection Commission have launched a joint investigation. Data submitted to the National Assembly indicates the scale of the breach far exceeds TVING's paid subscriber base of approximately 5 million and monthly active users of around 8 million. This has led to suspicions that personal data of former or dormant accounts, potentially not deleted within legal timeframes, may have been left vulnerable.

TVING stated it has taken immediate steps, including blocking the attacker's IP address and revising cloud access policies, to prevent further damage. They have also urged users to change passwords for TVING and any other services using the same credentials. Meanwhile, a class-action lawsuit has been initiated by affected users, with over 100,000 participants seeking 300,000 won each in damages. Concerns have also been raised about TVING reportedly reducing its information security investment by about 20% despite recent growth.