Member information of Seoul's public bicycle service, ‘Ddarungi,’ was leaked, even as the Seoul Facilities Corporation received a high score in government privacy protection evaluations.
In Seoul, the personal information of members of the city's public bicycle service, ‘Ddarungi,’ has reportedly been leaked. This news comes amidst a backdrop where the Seoul Facilities Corporation, which oversees the service, received an impressive score of over 80 points in a government assessment of public institutions' data protection measures for 2024. The paradox lies in the fact that despite this high evaluation, the corporation was aware of the data breach as early as July 18, 2024, yet failed to take legally required actions such as reporting to the Personal Information Protection Commission. This raises serious questions about the effectiveness of the assessment system, which critics argue does not accurately reflect the realities of data management and protection.
The evaluation of the personal data protection of public agencies classified the Seoul Facilities Corporation with an A grade, the second highest after an S grade, which represents scores above 90. However, the context in which this assessment is carried out is crucial; it includes self-reviews related to compliance with legal obligations like malware prevention and intrusion prevention measures, as well as expert evaluations of privacy protection endeavors. The fact that the Facilities Corporation received this high rating despite knowing about the information leak points to a significant disconnect between the scoring system and actual practices in data protection.
Experts have commented that while many public institutions might have formal structures and documentation in place for personal data protection, these frameworks often do not function effectively in practice. For instance, there may be designated personnel responsible for data protection, yet often, these individuals lack the necessary training or authority to implement the required protective measures effectively. Analysis from specialists in data security suggests that systemic changes are needed to ensure that data protection policies translate into practical and effective actions, rather than merely existing on paper.
