A data breach involving the personal information of 5,000 participants in the "Everyone's Startup" initiative, managed by the Startup Promotion Agency under the Ministry of SMEs and Startups, is expected to escalate beyond a simple privacy violation to issues concerning idea protection and trade secrets. The leaked data includes email addresses, summaries of startup ideas, and evaluation comments, prompting concerns about the nature of the information and potential additional damages as investigations proceed.
According to the IT industry on June 22, the Startup Promotion Agency has reported the data breach to the Personal Information Protection Commission, initiating an investigation. This incident is likely to expand beyond mere personal data concerns to encompass intellectual property and trade secret issues. There are fears that it could lead to large-scale lawsuits, prompting the industry to remain vigilant.
A report from the office of lawmaker Kang Seung-kyu indicates that on June 15, at 9 a.m., an artificial intelligence (AI) solution company involved in the project accessed confidential email addresses through abnormal application programming interface (API) calls. The company sent promotional emails to the acquired addresses, revealing the data breach. The Startup Promotion Agency became aware of the incident through a complaint at approximately 3 p.m. on the same day.
Industry experts note that this data breach differs from typical personal information leaks, as it involves not only email addresses but also idea summaries and evaluation comments. While email addresses are classified as personal data, the summaries and comments could be treated as potential infringements on intellectual property or trade secrets.
The leaked information may contain details about the business models and evaluations of prospective entrepreneurs, raising concerns that ideas submitted for public support could be compromised, leading to further damages.
According to the Startup Promotion Agency's report on the breach, the confidential email addresses were not displayed externally. However, the company without API access was able to obtain the information through specific API calls and AI-based automatic collection and web crawling.
While the service interface was designed to block access, some server APIs, including challenger profiles and evaluation comments, were reportedly inadequately secured.
The office of Kang Seung-kyu stated that the information provided in the data breach report from the Startup Promotion Agency is insufficient to assess the specific circumstances of the breach and the level of security. A representative from the office commented, "The report does not reveal detailed circumstances, and further verification of the security level is necessary."
Additionally, this incident has drawn comparisons to a previous data breach at Coupang, where internal access management issues were highlighted. Last year, a data breach at Coupang involved a former employee misusing authentication systems and signing keys, raising concerns about internal access rights and management. The industry points out that the data breach in the Everyone's Startup initiative also originated from a participating company, similar to the Coupang case.
The severity of the consequences from this incident is expected to depend on the actual scale of the leak, the extent of damages, the API access circumstances of the AI solution company, and the preemptive security measures taken by the Startup Promotion Agency. However, as the scale of the leak, actual damages, the company's access rights, and the agency's compliance with safety measures have yet to be confirmed, it is difficult to ascertain the likelihood of severe penalties at this stage. A representative from the Personal Information Protection Commission stated, "The seriousness of the situation can only be determined through investigation."
Meanwhile, the Startup Promotion Agency reported that after becoming aware of the breach, it prepared a notification letter regarding the data leak and sent it via text message to the affected individuals. The agency plans to establish a verification feature on its website to allow individuals to confirm whether their personal information has been compromised and will also operate a damage reporting channel to minimize further harm.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.