Korean Privacy Regulator Investigates TVING After Database Breach Exposes User Information

Key Takeaways

• Regulatory Investigation Underway: The PIPC has formally launched an investigation into TVING following the company’s June 3 breach report.
• Sensitive User Data Potentially Exposed: The compromised database reportedly contained personal information including names, birth dates, contact details, refund account numbers, passwords, CI, and DI identifiers.
• Focus on PIPA Compliance: Regulators will examine whether TVING complied with safeguard requirements and breach reporting obligations under South Korea’s Personal Information Protection Act.
• Scope Still Unknown: Authorities have not disclosed how many individuals may have been affected or the full extent of the data exposure.
• Potential Enforcement Action: The PIPC said it will pursue enforcement measures if violations of the Personal Information Protection Act are identified.

Deep Dive

South Korea’s privacy regulator has opened an investigation into streaming platform TVING after the company disclosed a data breach involving unauthorized access to a database containing user personal information.

The Personal Information Protection Commission (PIPC) announced that it had launched an investigation into TVING Corp. following a breach notification submitted by the company on June 3. According to the regulator, TVING identified unauthorized access to a database holding user information on June 2.

TVING is one of South Korea’s major over-the-top (OTT) media service providers.

According to information provided to the PIPC, the compromised data may include user IDs, names, dates of birth, gender information, phone numbers, email addresses, refund account numbers, passwords, and other personal information. The regulator said some of the exposed information was encrypted.

The reported breach also involved connection information (CI) and duplication information (DI), identifiers commonly used within South Korea’s digital identity ecosystem. CI is used to link users across different platforms, while DI is used to prevent the creation of multiple accounts by the same individual on a single platform.

The PIPC said its investigation will examine the circumstances surrounding the incident, including how the unauthorized access occurred, the scale of the breach, and whether TVING complied with security safeguard requirements under South Korea’s Personal Information Protection Act (PIPA).

The regulator will also review whether the company met its legal obligations related to breach reporting and notification. The investigation will include requests for information from the company as well as on-site inspections.

The commission stated that it will take enforcement action if violations of the Personal Information Protection Act are identified during the course of the investigation. The number of affected individuals has not been disclosed, and the PIPC has not provided additional details regarding the nature of the unauthorized access or the extent of the exposure.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.