[26.06.17] TVING Suffers Massive 19.53M Data Breach After Cutting Security Budget

TVING Suffers Massive Breach Exposing 19.53 Million Users' Data Following Back-to-Back Security Budget Cuts

TVING, a leading domestic South Korean OTT (Over-The-Top) streaming platform, has suffered an unprecedented data breach exposing the personal information of over 19.5 million users. Despite the massive scale of the cyberattack, it has been revealed that TVING consistently slashed its cybersecurity budget over the past two consecutive years, triggering fierce criticism for what many call a "predictable, man-made disaster."

1. Scale of Breach is 2.5 Times Active User Base: Did "Ghost Accounts" Get Compromised?

According to data submitted to the National Assembly's Science, ICT, Broadcasting, and Communications Committee by Representative Lee Jeong-heon's office (Democratic Party of Korea) and the Personal Information Protection Commission (PIPC), the confirmed number of victims in the TVING breach stands at a staggering 19.53 million. This drastically exceeds the government’s initial provisional estimate of 13 million, marking it the third-largest data breach in South Korean history, following Coupang (37.55 million) and SK Telecom (26.96 million).

• The Mystery Behind the Numbers: The most alarming aspect is that this number far eclipses TVING's actual active user metrics. According to market tracker Mobile Index, as of April, TVING’s Monthly Active Users (MAU) hovered around 7.7 million, with paid subscribers at approximately 5 million. This means the leaked data contains information for 12 million more individuals than the platform's current active user base.
• PIPC Launching Deep Investigation: Authorities are heavily investigating the discrepancy, suspecting that the breach swallowed data from terminated memberships, dormant accounts, and "bundled linked accounts" created through telecom partnerships or cross-promotions with platforms like Disney+.
• Legal Vulnerabilities: Under the Personal Information Protection Act, companies are legally mandated to destroy personal data without delay (within 5 days) once the purpose of collection is achieved. If investigations prove that canceled or dormant accounts were left unpurged or unsegregated, TVING could face catastrophic punitive fines due to the "gravity of the violation."

2. A 3-Day Void: Delays in Triage and Regulatory Reporting

Suspicion is mounting over TVING's initial response timeline and discrepancies found in its mandatory regulatory filings.

• Inconsistent Reports: The "initial incident awareness time" written on the reports TVING submitted to the Ministry of Science and ICT (MSIT) and the PIPC do not match. The report to MSIT stated they noticed the breach on May 31 at 3:09 PM, whereas the filing to the PIPC cited May 30 at 4:30 PM.
• 72-Hour Golden Time Squandered: Even more critical is the delay in confirming the actual theft. While TVING acknowledged unauthorized database access on May 30, it explicitly noted in its filing that it only confirmed the actual "external exfiltration of database files" on June 2 at 6:18 AM. This indicates it took nearly three full days to realize data had actually been stolen.
• Government Tracking Internal Reports: A joint public-private investigation team is zeroing in on this timeline gap. An MSIT official commented, "It appears the company took time to internally diagnose whether the incident was a system glitch or a malicious hack." However, the ministry added that it plans to conduct tracking interviews regarding the Chief Information Security Officer's (CISO) reporting line and audit internal logs to determine whether there was an intentional delay or cover-up.

3. Slashed Security Investments Amid Skyrocketing Revenue

Management's historical disregard for cybersecurity is being targeted as the root cause of this vulnerability.

• Cutting Budget by 20%: According to the Korea Internet & Security Agency (KISA) disclosure portal, TVING’s information security investment peaked in 2022 at 2.19 billion KRW. It subsequently dropped to 1.83 billion KRW in 2023, and further shriveled to 1.76 billion KRW in 2024. This marks an approximate 20% budget cut over two years—a complete antithesis to the company's surging subscriber growth and revenue over the same period.
• Flawed Governance Structure: TVING’s corporate structure also lacked security authority. The company operated with its Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO) roles assigned to a single, non-executive "sub-executive" employee. Experts point out that this structure fundamentally prevented the security department from effectively demanding large-scale budgets or directly voicing vulnerabilities to executive leadership.

4. Leak of Crucial Link Information (CI) Sparks Massive Class-Action Lawsuits

Public panic and fury are reaching a boiling point because the compromised dataset includes Connecting Information (CI).

• High Risk of Secondary Fraud: CI serves as a digital surrogate for resident verification across online platforms to distinguish unique users. Unlike standard personal data, CI is a permanent mathematical value that cannot be changed or replaced once leaked. If hackers cross-reference this stolen CI with existing leaked databases containing IDs and phone numbers, it paves the way for highly sophisticated identity theft, voice phishing, and financial fraud.
• Astronomical Liability Looming: Legal retaliation has ignited rapidly. According to the law firm Jihyang, the number of plaintiffs who have registered to join a class-action lawsuit against TVING has already surpassed 90,000 individuals. With the requested compensation set at 300,000 KRW per plaintiff, the litigation scale is already projected to reach tens of billions of KRW.

5. The "KBO Monopoly Effect" Blunts Consumer Backlash

In a bizarre twist, despite the historic scale of the cyberattack, TVING's user metrics have defied expectations by continuing to rise.

• Explosive Growth Trajectory: Mobile Index data shows that during the first week of June (June 1–7), right around when the breach became public knowledge, TVING’s Weekly Active Users (WAU) hit 5,706,203—an increase of roughly 200,000 users compared to the prior week. This is a 50.2% surge compared to the first week of January. Furthermore, May MAU spiked by over a million users month-over-month to hit 8.81 million, fiercely closing the gap with Coupang Play (9.11 million), the current No. 2 OTT player.
• The Irony of Sports Streaming: Security analysts attribute this anomaly partly to consumer fatigue over frequent corporate data breaches, but primarily to TVING's exclusive broadcasting rights for the KBO (Korea Baseball Organization) League. Fans expressing outrage over the security failure are simultaneously unable to delete the application due to their reliance on the platform for live baseball streaming.

"This incident is a shameful case that exposes just how lightly and carelessly major domestic platforms treat user data. The government must move beyond issuing simple administrative fines and establish mandatory institutional safeguards that force massive digital platforms to fulfill their security obligations." (Representative Lee Jeong-heon, National Assembly Science & ICT Committee)

In light of the TVING crisis, the Korea Communications Commission (KCC) announced that it will fast-track a policy mandating the **compulsory encryption and separate storage of Connecting Information (CI)** to prevent identity synthesis attacks. Originally slated for May, the enforcement date has been bumped up by four months to take effect in January 2026.

One-line summary : TVING has suffered a catastrophic data breach exposing 19.53 million accounts—far exceeding its active user base—due to consecutive cybersecurity budget cuts and delayed triage, igniting massive consumer lawsuits; however, due to its exclusive pro-baseball streaming rights, user retention and active engagement have ironically increased.