The government's principle regarding personal information protection is clear: personal data is a right and asset of the citizens, and institutions or companies that leak or poorly manage this information must be held accountable. In practice, the government has imposed hefty fines amounting to hundreds of millions or even billions of won on companies responsible for data breaches, sending a strong message that there are no exceptions when it comes to protecting personal information.
However, a recent data breach linked to the Ministry of SMEs and Startups' "Everyone's Startup Project" raises questions about how rigorously the government adheres to its own principles. It was confirmed that the email addresses, evaluation comments, and summary ideas of 5,000 successful applicants for the startup support program were exposed, heightening concerns about the government's overall personal information management system.
While it is reported that sensitive personal information such as names, contact numbers, and resident registration numbers were not leaked, the exposure of business ideas and evaluation results—key assets for aspiring entrepreneurs—cannot be taken lightly. Furthermore, if the business plans and evaluation content submitted in good faith to the government were made public, it would represent a significant breach of trust in the startup ecosystem, rather than just a simple data incident.
Current reports indicate that the breach did not result from an external hacker infiltrating the security network, but rather from a hack of the AI solution company supporting the project participants. This raises the possibility that basic security management protocols were not functioning properly, rather than being victims of sophisticated hacking.
Notably, concerns about the information security system and personal data management of the Korea Startup Promotion Agency were already raised during a security audit by the Ministry of SMEs and Startups last year. Critics have pointed out that while the government has expanded its digital startup platform, it has failed to enhance its personal information protection system and security management capabilities accordingly.
A thorough review is necessary to determine whether the issues raised previously were adequately addressed, as this incident might have been preventable. While investigating the cause of the breach is important, it is even more crucial to examine whether the government failed to respond appropriately to warning signs that were already present. The most alarming aspect is an organizational culture that neglects foreseen risks.
The Ministry of SMEs and Startups stated that it recognized the incident through user inquiries, blocked the access route, and implemented additional security measures. However, what the public is truly concerned about is not whether legal procedures were followed, but why such an incident occurred in the first place.
If a private company had experienced a similar breach, the government would have rigorously scrutinized various factors, including whether security vulnerabilities had been previously identified, whether the management system was adequate, whether the incident was reported swiftly, and what accountability the top officials would bear.
Recently, the government has imposed record fines on companies for personal information leaks and negligence in managing online user data. The Personal Information Protection Commission's imposition of over 600 billion won in fines on Coupang was also a measure to emphasize the importance of data protection. However, the legitimacy of regulation stems from fairness. It is difficult to gain credibility when the government is lenient towards itself while imposing strict regulations on the private sector.
In light of this incident, the government must reassess its personal information protection system from the ground up. Particularly for systems like the startup support platform that handle the personal information and business data of tens of thousands, security standards should exceed those applied to private companies. The management system for external contractors must be scrutinized, access permissions should be tightly controlled, privacy settings should function correctly, and it must be transparently verified whether the security vulnerabilities identified last year have been adequately addressed.
Citizens expect the government to demonstrate a higher level of accountability than private companies. This is because the government serves as both a regulatory body and a massive platform operator managing personal data. Trust is proven through actions, not slogans. This incident will serve as a test of the government's sincerity regarding personal information protection.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.