Bike service Ttareungi did nothing about 2024 data leak affecting 4.5 million users
Published: 06 Feb. 2026, 14:26
![A Ttareungi bike is seen on a road on Feb. 1 in Yeongdeungpo District, western Seoul. [YONHAP]](https://koreaseafood.online/data/photo/2026/02/06/abaa50fe-19c8-430d-b259-f3285f43975a.jpg)
A Ttareungi bike is seen on a road on Feb. 1 in Yeongdeungpo District, western Seoul. [YONHAP]
Seoul Facilities Corporation knew for nearly two years that personal data of 4.5 million users of Seoul’s public bike service Ttareungi had been exposed in a cyberattack but failed to act, city officials said Friday.
“An internal probe found that the corporation had confirmed the data leak during a cyberattack on the Ttareungi app in June 2024, but the corporation failed to take separate measures, resulting in no initial response,” said Han Jeong-hun, director of the Seoul Metropolitan Government’s transportation operation bureau at a briefing at City Hall on Friday morning.
With an investigation underway, the city said it plans to notify police of the corporation’s inadequate initial response. It also reported those involved — including staff in charge at the time — to investigative authorities.
“We reported the case to the Personal Information Protection Commission (PIPC) and the Korea Internet and Security Agency,” said the Seoul Metropolitan Government. “We will strengthen its management and oversight system to prevent a recurrence based on the outcomes of the police investigation and the PIPC’s probe.”
The corporation reported the breach to relevant authorities on Jan. 30, after police informed it on Jan. 27 that Ttareungi members’ personal information had been leaked. The number of affected cases identified so far is 4.5 million. Ttareungi currently has around 5 million registered members.
![Seoul’s Ttareungi bikes are seen parked in the capital city on Nov. 12, 2025. [NEWS1]](https://koreaseafood.online/data/photo/2026/02/06/ea8c0d93-06ef-4b4e-9f6e-a85e4ebbded2.jpg)
Seoul’s Ttareungi bikes are seen parked in the capital city on Nov. 12, 2025. [NEWS1]
The breach occurred in 2024, during a period when distributed denial-of-service attacks surged.
The Ttareungi app’s mandatory data fields are user ID and mobile phone number. Optional fields include email address, date of birth, gender and weight. Names and addresses are not among the collected items.
The corporation said it does not store information that it does not collect in its database, meaning such information could not have been leaked. However, it added that personal information users entered voluntarily may have been exposed. Police are investigating the route and scope of the leak, as well as whether any damage occurred.
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY HAN EUN-HWA [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)