[Exclusive] Ddarungi Data Leak: Insurance Coverage Limited to Only 10 Million Won... "Expansion Under Review"

It has been revealed that the maximum penalty coverage limit of the personal information liability insurance held by Seoul Facilities Corporation, an agency under the Seoul Metropolitan Government, is only about 10 million won. Seoul Facilities Corporation is currently under investigation after it was belatedly discovered that the personal information of 4.62 million members of the public bicycle service Ddarungi had been leaked.

Seoul Facilities Corporation, which experienced a data breach involving 4.62 million members of Seoul's public bicycle service "Ddareungi," has decided to strengthen its response capabilities by increasing the coverage of personal information compensation insurance, hiring dedicated information security personnel, and conducting simulated hacking training. Photo by Jin-Hyung Kang aymsdream@

원본보기 아이콘

According to the Seoul Metropolitan Government on April 29, Seoul Facilities Corporation has been continuously maintaining personal information liability insurance since October 2024. Personal information liability insurance is a product that covers costs arising from various information security incidents, such as personal information leaks and cyber accidents.

The coverage of the insurance held by the corporation is limited to 10 million won each for penalties, notification costs via text messages in the event of an incident, and crisis management consulting expenses.

In June 2024, Seoul Facilities Corporation experienced a large-scale leak of Ddarungi member information but failed to take action for nearly two years, resulting in an investigation by the Personal Information Protection Commission and a police probe. The leaked data includes IDs, emails, mobile phone numbers, dates of birth, gender, and weight, and the specific leaked items for each member are currently being verified by investigative authorities.

The Personal Information Protection Commission has set the maximum penalty at 2 billion won for public institutions that have no sales or for which it is difficult to calculate sales figures in the event of a personal information leak. In addition, the amount of the penalty is determined by considering factors such as the duration of the violation, whether the violation was intentional or due to gross negligence, and whether the operator led the violation. For example, about 600 million won was imposed on Chonbuk National University and 200 million won on the National Court Administration for personal information leaks caused by hacking attacks.

In the case of Seoul Facilities Corporation, considering that the number of leaked Ddarungi member records reached 4.62 million and that the initial response after the cyberattack was inadequate, the penalty coverage limit of 10 million won appears to be severely insufficient. In response, an official from the Seoul Metropolitan Government stated, "We are reviewing measures to increase the coverage limit of the corporation’s personal information liability insurance."

원본보기 아이콘

Furthermore, according to the "Follow-up Measures and Recurrence Prevention Plan for the Ddarungi Personal Information Leak" submitted by the Seoul Metropolitan Government and the corporation to the office of Song Doho, a Seoul Metropolitan Council member from the Democratic Party, the corporation plans to hire two dedicated information security personnel within this year and to address system vulnerabilities through a review of the Ddarungi system by the end of the year.

Additionally, the corporation plans to establish a more systematic "Integrated Manual for Cyberattack and System Failure Response" to reinforce its response capabilities, building upon the currently operated "Information System Processing Work Manual." The Seoul Metropolitan Government and the corporation will also conduct simulated hacking drills and provide information security training for employees to ensure thorough preventive measures.

An official from the Seoul Metropolitan Government stated, "We are conducting a comprehensive review of the types of personal information collected for Ddarungi membership, and we plan to systematically remove unnecessary data." The official added, "Once the specific scale and details of the leaked data are determined, we will also take measures to compensate affected individuals."

In relation to this, on April 28, the Seoul Metropolitan Council passed an ordinance bill in a plenary session that allows for compensation, such as providing ‘Ddarungi usage vouchers’, in cases where users experience inconvenience due to system failures or personal information leaks when using public bicycles.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.