Security and Privacy Insight — 2026-06-22

1. Data Breach Incidents and Implications

Data Leak at the Ministry of SMEs and Startups' "Startup For All"

A major data breach occurred at "Startup For All," a startup support platform under the Ministry of SMEs and Startups. The emails, personal information, and startup idea summaries of over 5,000 successful applicants were exposed. Investigations revealed that a partner company involved in the project was hacked.

Notably, despite warnings about API vulnerabilities before the incident, the breach resulted from a "traditional, preventable method." The Ministry issued an official apology on the 18th and is currently handling the aftermath.

2 sources

yna.co.kr

중기부,

yna.co.kr

yna.co.kr

Surge in TVING Data Breach Lawsuits

The class-action lawsuit regarding the data breach at the OTT platform TVING is expanding rapidly. The number of participants jumped from 50,000 to 120,000 in just one week. In court, the core issue is the causal relationship between the failure to uphold safety obligations and the actual breach, with debates expected over the risks of CI (Credit Information) and the scope of damages.

1 sources

etoday.co.kr

티빙 개인정보 유출 소송 일주일 새 5만→12만명…‘안전조치 위반’ 쟁점 - 이투데이

Coupang Continues Hiring Growth Despite Breach

Coupang, which suffered a massive data breach in November 2025, is sticking to its expansionist hiring strategy. It created over 8,000 additional jobs last year, surpassing 100,000 employees and remaining the only company among the top five to show growth.

1 sources

sisajournal.com

쿠팡 고용 ‘10만 명’ 돌파…고용 상위 5개 기업 중 유일하게 증가 < 산업/재계 < 경제 < 기사본문 - 시사저널

2. Breach Incidents and Legal Precedents

Tightening Legal Liability for Data Breaches

Recent legal precedents have confirmed that Brute Force Attacks constitute "illegal access" to personal information. This implies that a company's security obligations now extend beyond mere encryption or access control to include active defense against intrusions.

Furthermore, there is an increasing likelihood that sharing publicly available information with third parties without separate consent will be judged as unlawful, making the precision of terms and conditions essential.

3. Latest Personal Information Protection Act Updates (Essential for CISO/CPOs)

Strengthening CPO Independence and Mandatory ISMS-P

An amendment to the Personal Information Protection Act is in the pre-announcement stage, focusing on guaranteeing the substantive role and authority of CPOs. Key highlights include strengthening CPO independence and making ISMS-P certification mandatory for personal information processors above a certain size.

Easing CISO Dual-Role Restrictions and Mandatory Board Reporting

Following an amendment to the Information and Communications Network Act approved at a cabinet meeting on June 1, 2026, CISO dual-role restrictions have been eased, allowing them to perform related duties such as those of a CPO. Concurrently, both CISOs and CPOs are now required to report to the Board of Directors, necessitating structural adjustments before the law goes into effect to avoid conflicts in reporting lines.

Security Investment and Reduced Penalties

The amendment allows for insufficient investment or management deficiencies to be evaluated as gross negligence, while documented records of investment in security budgets and personnel are explicitly stated as grounds for reducing fines. Security must now be recognized as a management responsibility, not a sunk cost.

Editor's Note: Since new regulatory disclosures were limited during the current data collection period (24 hours since 2026-06-20), this summary focuses on the recent legislative pre-announcements. CISOs and CPOs are advised to keep an eye on the draft enforcement decrees expected between June and July.