On the 15th, immediately after the profiles were made public, access to non-public information began, and information was pulled by nine domestic IP addresses.
Even after the blocking measures, criticism has emerged that the response was slow, with promotional emails still arriving on the 16th at a non-public email address.
A government platform has come under scrutiny for security governance after the government, which had been imposing hefty fines on private companies, failed to secure its own security.
The government’s ambitious startup audition has been marred by a personal information leak just days after launch. The fallout is growing as not only the finalists’ startup ideas but also the judges’ evaluations were exposed.
On the 18th, the Ministry of SMEs and Startups said it had confirmed attempts to access non-public information of 5,000 first-round finalists in the public startup project “Everyone’s Startup.” The leaked information included email addresses, idea summaries, and review comments. The ministry reported the leak to the Korea Internet & Security Agency (KISA) at 1 p.m. the same day and posted an apology.
The 5,000 people who beat the odds among some 63,000 applicants were the ones directly affected. Their concern is not limited to exposed email addresses; their business ideas, the very foundation of their ventures, and the judges’ assessments of those ideas were leaked in full.
Coincidentally, the 16th was the day the first cohort launch ceremony was held with Minister of SMEs and Startups Han Seong-sook in attendance. Han is currently awaiting a confirmation hearing as a nominee for prime minister.
프로필 공개가 열어준 ‘구멍’
The incident began at 9 a.m. on the 15th, when the profiles of 5,000 finalists were opened on the platform. The items exposed at the time were nicknames, follower counts, and whether they had advanced to the next round. Email addresses, idea summaries, and self-introductions were fields that users could choose to make public or keep private.
The key issue is that non-public areas were accessed by using the publicly available profiles as a stepping-stone. The ministry said it had identified signs that nine domestic IP addresses accessed restricted information through unauthorized routes. It has not yet been determined what method was used or what vulnerability was exploited.
Detection and blocking were each one step late. The ministry realized there was an incident around 3 p.m. on the 15th after users made inquiries, and an hour later blocked the access route. But the next morning, on the 16th, a complaint was filed that a promotional email from an AI solutions company had been received at a private email address. A security function to filter out automated collection was only added later that evening on the 16th.
“My idea became public property”
Victims’ anger stems from the nature of the information that was leaked. One finalist said, “I received an advertisement email sent to a nickname and email address I never told anyone.” Another finalist, identified as A, said that even after the blocking announcement on the 16th, email collection may still have been possible through an API, arguing that “the response was careless.”
On social media, reactions were intense. Comments such as “Did Everyone’s Startup mean everyone’s ideas had to be made public?” and “My startup idea has become public property” poured in. A startup idea is close to intellectual property in the pre-commercialization stage. If it falls first into the hands of competitors or companies, the very basis for securing a market position can be shaken. That is why this type of leak carries greater weight than an ordinary exposure of contact information.
Private companies face fines, but the government does not
What makes this incident even more painful is that the entity that leaked the information was the government. Until now, the government has imposed tens of millions to hundreds of millions of won in fines on private companies that leaked personal information. The side that has strongly held others accountable for security failed to protect the non-public information on a platform it operates itself.
There is widespread criticism of flaws in the design stage. Public and non-public information were handled within the same system, leaving room for unauthorized access to slip through. The platform was also seen as lacking mechanisms to block bulk data scraping attempts from outside and to detect abnormal access in real time.
The direction for a solution is clear. First, public and private data should be stored separately, with access rights narrowed to the bare minimum necessary. Systems should automatically cut off when unusually large numbers of requests arrive in a short period, and a reporting mechanism must be in place to notify authorities immediately in the event of a leak. For a public platform run by the government, mandatory security reviews before launch can no longer be delayed.
The Ministry of SMEs and Startups is investigating the cause together with outside agencies, including the National Cyber Security Center. The exact scale of the leak and the intrusion route will have to await the results of the investigation. What is clear is that the stage set up to gather the public’s ideas was lax in protecting those ideas. The starting point for restoring broken trust is to uncover exactly who is responsible.