[26.06.10] Tving Data Breach Affects 13 Million Users

Tving's 13 Million User Data Breach Slams the Brakes on OTT Growth

📍Cloud security management concerns emerge as AWS access key issues surface, leaving Korea's homegrown streaming platform facing a critical test of trust amid potential fines and class-action lawsuits

The rapid growth of South Korea's homegrown online video streaming service Tving has come to an abrupt halt. What began as an unprecedented large-scale personal data breach has evolved into a broader crisis of confidence, raising concerns not only about cybersecurity but also about the overall trustworthiness of digital platforms.

For Tving, which had been aggressively closing the gap with Coupang Play while approaching the milestone of 9 million monthly active users (MAU), the incident represents one of the biggest challenges in the company's history.

The controversy intensified further as indications emerged that the breach may have involved not only external hacking but also shortcomings in cloud access key management and software development security controls. Depending on the findings of ongoing investigations by government authorities and private cybersecurity experts, the company could face substantial administrative fines and renewed calls for class-action litigation.

🔹Data Breach Affecting 13 Million Users Becomes Largest in Korea's OTT Industry

According to industry sources on June 10, the preliminary number of users potentially affected by Tving's personal information leak has reached approximately 13 million.

Considering that Tving recorded around 8.82 million monthly active users in May, experts believe the affected population may include not only paying subscribers but also dormant accounts and free-tier members.

Tving has stated that the exact scale of the breach has yet to be confirmed and that a final figure will only be available after investigations by relevant authorities are completed. Nevertheless, the incident is already being described as one of the largest personal data breaches ever to hit South Korea's OTT industry.

The unidentified attacker reportedly gained unauthorized access to a database containing Tving users' personal information on June 2 and transferred related files outside the company's systems.

A particularly troubling aspect of the incident is the amount of time it took for the company to detect the intrusion.

According to an incident report submitted by Tving to the Korea Internet & Security Agency (KISA), approximately 21 hours elapsed between the onset of abnormal database activities and the company's recognition of the attack. During that period, the intruder is believed to have repeatedly accessed internal systems and executed commands to retrieve information.

Cybersecurity experts noted that the ability to quickly detect and block suspicious activity is often more important than preventing every attack outright.

"The fact that abnormal activities went unnoticed for nearly an entire day suggests that the overall monitoring and response system requires a thorough review," one industry expert said.

🔹Questions Raised Over AWS Access Keys and GitHub Hardcoding Practices

The breach has drawn even greater attention because of circumstances surrounding the possible attack vector.

Reports indicate that documents submitted to KISA included references to Tving revoking Amazon Web Services (AWS) access keys believed to have been involved in the attack.

This has fueled speculation that weaknesses in cloud access management procedures may have contributed to the intrusion.

AWS access keys serve as essential credentials that allow access to cloud infrastructure. Industry best practices emphasize regular key rotation, strict access control policies, and the principle of least privilege as fundamental security measures.

Another controversial aspect concerns GitHub, the widely used software development collaboration platform.

The incident report reportedly mentioned the removal and replacement of hardcoded credentials embedded in source code.

Hardcoding refers to the practice of directly inserting sensitive information such as usernames, passwords, or authentication tokens into application code. If such credentials were exposed through code repositories or insufficient access controls, they could potentially provide attackers with a pathway into internal systems.

Security professionals have pointed out that avoiding hardcoded credentials is one of the most basic principles of secure software development.

"If investigations confirm deficiencies in credential management, discussions could expand beyond the breach itself to broader questions about the company's overall information security framework," an industry official said.

At present, however, the exact route of intrusion has not been conclusively identified. Final conclusions are expected following digital forensic investigations conducted by the joint public-private task force.

🔹Concerns Grow Over Exposure of CI, Often Called a 'Digital Resident Registration Number'

The scope of the leaked information has also become a major source of concern.

According to information disclosed so far, the compromised data may include user IDs, names, dates of birth, gender information, Connecting Information (CI), Duplicate Information (DI), partially encrypted phone numbers, partially masked email addresses, encrypted refund account numbers, passwords, and service usage records.

Tving stated that it does not store resident registration numbers or complete credit card information, meaning such payment-related data was not part of the breach.

However, cybersecurity experts believe the greatest risk lies in the potential exposure of CI data.

CI is a unique identifier generated through identity verification processes and can be used across multiple online services. Because the same value is repeatedly utilized to confirm an individual's identity, it is often referred to as a "digital resident registration number."

One of the biggest concerns is that CI values cannot realistically be changed once exposed.

Although CI alone cannot be used to directly access bank accounts or hijack user accounts, attackers may combine leaked CI information with data obtained from other breaches to build more detailed user profiles or conduct sophisticated fraud schemes.

Given the numerous large-scale data breaches involving telecommunications companies, financial institutions, and e-commerce platforms in recent years, experts warn that the risk of cross-referencing personal information should not be underestimated.

Passwords also remain a concern.

Tving explained that passwords were stored using one-way encryption methods, making direct recovery difficult. However, users who rely on simple or commonly used passwords could still be vulnerable to brute-force attacks designed to guess the original values.

As a precautionary measure, Tving has advised users who reuse the same login credentials across multiple services to change their passwords immediately.

Industry observers believe the incident may serve as an opportunity to reassess not only Tving's security practices but also the overall level of data protection across South Korea's platform industry.

🔹CJ Group's Information Security Governance Under Scrutiny

The fallout from the breach has expanded beyond Tving itself, raising broader questions about information management practices throughout the CJ Group.

The timing of the incident has amplified public concern.

Only weeks before the Tving breach became public, personal information belonging to approximately 330 female employees within CJ Group had reportedly been distributed without authorization through a Telegram chat room.

The leaked employee data allegedly included photographs, names, phone numbers, and job titles. CJ Group identified an employee suspected of involvement and filed a complaint with police authorities.

The occurrence of both an insider-related employee data leak and an external cyberattack targeting customer information within a short period has intensified concerns about whether the group's overall information security governance framework is functioning effectively.

CJ ENM, which owns a 48.85 percent stake in Tving, remains the company's largest shareholder.

While legal responsibility for the personal information breach rests primarily with Tving as the data controller, critics argue that CJ ENM cannot entirely avoid questions regarding its oversight responsibilities given its substantial influence over the platform's management.

CJ ENM has previously emphasized its commitment to strengthening cybersecurity through group-level governance structures and dedicated information security committees outlined in its ESG reports.

However, this latest incident has prompted renewed scrutiny over whether those policies were effectively implemented in practice.

Industry experts have also called for stronger authority and organizational standing for Chief Information Security Officers (CISOs), arguing that meaningful improvements in cybersecurity require executive-level decision-making power and sufficient budgetary support.

🔹Potential Class-Action Lawsuits and Heavy Fines Add to Financial Pressure

Tving may also face significant financial repercussions as a result of the data breach.

Under South Korea's Personal Information Protection Act, the Personal Information Protection Commission (PIPC) has the authority to impose administrative fines of up to 3 percent of a company's total revenue in cases involving serious violations related to personal data protection.

Based on Tving's reported revenue of 406 billion won last year, the maximum penalty could reach approximately 12.2 billion won.

In addition to potential fines, the company may also incur substantial costs related to customer compensation, legal proceedings, cybersecurity upgrades, and expanded incident response measures.

The issue is particularly concerning given Tving's financial position.

Since being spun off from CJ ENM in 2020, Tving has yet to post an annual profit. Last year, the company reported revenue of 406 billion won, down from the previous year, while recording an operating loss of 69.8 billion won and a net loss of 89.3 billion won.

Its accumulated deficit has now exceeded 500 billion won.

Should regulators impose large-scale penalties on top of existing financial challenges, Tving's efforts to improve profitability could face additional setbacks.

Meanwhile, civic organizations have renewed calls for the introduction of a comprehensive class-action system that would allow victims of large-scale data breaches to pursue compensation more effectively.

Following a series of high-profile data leaks involving major corporations in sectors such as telecommunications, e-commerce, gaming, and finance, support for stronger legal mechanisms aimed at protecting consumers has continued to grow.

Advocates argue that current remedies place too much burden on individual victims, making collective legal action an increasingly necessary policy option.

🔹A Sudden Crisis for Tving Just as It Approached 9 Million Users

The timing of the breach has made the situation especially painful for Tving.

Until recently, the platform had been enjoying one of its strongest periods of growth.

According to Mobile Index data, Tving recorded approximately 8.82 million monthly active users in May, representing a 14.4 percent increase from the previous month.

Among South Korea's major OTT platforms, Tving was the only service to achieve double-digit user growth during the period.

A major driver behind that momentum was the acquisition of broadcasting rights for the Korea Baseball Organization (KBO) League.

After initially securing rights beginning in 2024, Tving later signed an agreement reportedly worth around 450 billion won, granting the company exclusive broadcasting rights through 2031.

Combined with the popularity of its original productions and CJ ENM's entertainment content portfolio, the strategy had enabled Tving to narrow the gap with its closest competitors.

At one point, the difference in monthly active users between Tving and Coupang Play exceeded one million. More recently, however, the gap had reportedly shrunk to roughly 300,000 users.

The incident has therefore disrupted momentum at a critical stage in Tving's expansion.

Industry analysts note that personal information protection has become just as important as content offerings when consumers decide which digital platforms to trust.

While highly engaged subscribers may continue using the service, occasional viewers and dormant users could reconsider their relationship with the platform in light of the breach.

Unlike telecommunications services that often involve long-term contracts, OTT subscriptions can generally be canceled with minimal effort.

As a result, experts warn that damage to consumer trust could quickly translate into subscriber losses.

🔹Ultimately, the Key Challenge Is Restoring Trust

Industry observers believe that the outcome of this crisis will largely depend on how effectively Tving responds in the aftermath of the breach.

Cybersecurity incidents can occur at any organization. What often determines the long-term impact, however, is how transparently a company communicates with users, how swiftly it provides remedies to affected individuals, and whether it takes meaningful steps to prevent similar incidents from recurring.

Investigations by the joint public-private task force and the Personal Information Protection Commission are currently underway. The inquiries are expected to clarify the exact method of intrusion, determine the final number of affected users, and assess whether any serious deficiencies existed in Tving's security management practices.

If investigators conclude that the company failed to implement adequate safeguards or neglected fundamental security responsibilities, Tving could face a dual burden of reputational damage and mounting financial costs.

Conversely, industry experts argue that transparent disclosure, sufficient compensation measures, and visible investments in cybersecurity improvements could help the company rebuild consumer confidence over time.

The current crisis has therefore evolved into more than a single corporate security incident. It has become a test of whether one of South Korea's leading streaming platforms can regain the trust of millions of users.

🔹Growing Competition Leaves Little Room for Error

The breach has also emerged at a time when competition within South Korea's OTT market is intensifying.

While Tving had been strengthening its position through exclusive sports broadcasting rights and original programming, rival platforms have also been making gains.

Wavve has recently expanded its lineup of live channels while experimenting with media commerce initiatives, helping the service recover its user base to more than four million monthly active users.

Disney+ has likewise posted strong growth, supported by the popularity of original productions such as *The Grand Princess of the 21st Century* and *Goldland*, allowing the platform to surpass 3.7 million users and rank among the fastest-growing services in the market.

Meanwhile, Tving had been narrowing the gap with Coupang Play in the race for second place behind Netflix.

As competitors accelerate their efforts to attract and retain viewers, Tving now faces the additional challenge of overcoming a crisis that threatens one of the most valuable assets in the digital platform industry: user trust.

Industry insiders note that retaining existing subscribers may prove easier than attracting new ones if concerns over personal data protection remain unresolved.

🔹The Future of Tving Will Depend on Its Next Moves

Experts emphasize that the quality of Tving's response in the coming months will play a decisive role in shaping the platform's future.

The findings of the joint investigation, the scale of any administrative penalties imposed by regulators, and the details of compensation programs offered to users are all expected to influence public perception.

Should authorities determine that serious negligence contributed to the breach, the consequences could extend well beyond financial penalties, leaving a lasting impact on the company's reputation.

On the other hand, decisive corrective measures could provide an opportunity for renewal.

Many analysts argue that Tving must demonstrate a genuine commitment to strengthening its cybersecurity framework through increased investment, improved governance structures, and enhanced transparency.

At the same time, maintaining the momentum generated by its content strategy—including exclusive KBO League broadcasting rights and original productions—will remain essential if the company hopes to preserve its competitive position.

For Tving, the challenge now extends beyond subscriber growth or market share.

It is a question of whether the platform can convince users that their personal information will be protected moving forward.

One-line summary : Tving, which had been rapidly approaching 9 million monthly active users, now faces one of the biggest crises in its history after a data breach affecting an estimated 13 million accounts raised concerns over security failures, regulatory penalties, and the platform's ability to regain public trust.