Why it matters. Two breaches in days at widely used Korean services show how exposed everyday consumers are, and the leaked data can fuel phishing and identity fraud well beyond Korea's borders.
Background. South Korea relies heavily on real-name verification online, so companies routinely hold rich identity data, including Connecting Information (CI) — an encrypted nationwide identifier that ties one person's accounts across many services. Breaches are policed by two state bodies, the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA), which require prompt reporting. CU is operated by BGF Networks, while Tving is backed by entertainment conglomerate CJ ENM.
What to watch next. Expect PIPC and KISA findings on the scope of the leaks, and possible penalties or disclosure requirements as regulators probe whether the two breaches signal a broader campaign against Korean firms.
BGF Networks, the operator of South Korea’s CU convenience store parcel-delivery service, said on June 6 that an unidentified hacker gained unauthorized access to its systems on June 4 and exfiltrated the personal data of users, marking the second major Korean consumer-data breach disclosed in recent days.
What Was Exposed
According to the company, the stolen information includes users’ names, mobile phone numbers, email addresses, home addresses, gender, account IDs, passwords (stored with one-way encryption), and Connecting Information (CI). CI is a unique encrypted identifier issued in South Korea that links a person’s real-world identity across different online services, making it a sensitive data point in any leak.
BGF Networks said it blocked the attacker’s IP address immediately upon detecting the intrusion and has since completed remedial security measures. The company reported the incident at once to South Korea’s Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA), the government bodies that oversee data protection and cybersecurity, and said it is cooperating with their investigation.
What Users Are Advised To Do
The company stressed that passwords were encrypted and therefore secure, but urged anyone who reuses the same password across multiple sites to change it as a precaution. It also warned customers to be especially careful about calls from unknown numbers and about clicking on URL links contained in text messages — common vectors for phishing and follow-on scams after a leak.
CU is one of South Korea’s largest convenience store chains, and its in-store parcel pickup and drop-off service is widely used as a cheaper, more flexible alternative to standard courier delivery. That popularity means a large pool of everyday consumers may be affected.
Part of a Wider Wave
The breach follows a similar incident at Tving, the streaming platform operated by a subsidiary of South Korean entertainment giant CJ ENM. In that case, external unauthorized access exposed users’ names, mobile numbers, email addresses, gender, IDs, dates of birth, encrypted refund bank account numbers, one-way-encrypted passwords, Connecting Information (CI), and Duplication Joining Verification Information (DI).
The back-to-back disclosures highlight growing pressure on South Korean companies — which collect extensive identity data under the country’s real-name verification norms — to safeguard customer information against increasingly aggressive intrusions.
