The Seoul police have initiated an investigation into two suspects who are allegedly involved in the massive data breach affecting over 4.5 million users of the public bicycle service 'Ddarung-i'. Police Commissioner Park Jeong-bo, speaking at a regular media briefing, confirmed that the suspects are currently not in custody; however, they have also identified a third accomplice who was arrested, but a request for an arrest warrant was denied. The breach reportedly followed a distributed denial-of-service (DDoS) attack on the Ddarung-i application in June 2024.

As the investigation has progressed, police detailed that they first became aware of the data leakage in June 2024 when the Ddarung-i application suffered a DDoS attack. Since then, they have scrutinized data and interviewing suspects to uncover further individuals possibly involved in the breach, with indications that more personal information sharing incidents have occurred in the current year. This raises significant concerns regarding the management of user data and cybersecurity measures in place.

Moreover, the police are also reviewing the actions of the Seoul Facilities Corporation responsible for the Ddarung-i service, which reportedly took no action for about two years after being made aware of the data leak. According to the Seoul city representatives, they had sent a report to the corporation following their inspection in July 2024, indicating that the personal information had been compromised. However, the corporation failed to follow legal protocols for reporting the incident to relevant authorities, highlighting a significant gap in compliance and accountability in handling sensitive user information.