Teen Suspects Behind Breach of 4.62 Million Seoul Bike Users’ Data Were Middle School Students at the Time, Police Say It Was for “Self-Display”

Two male teenagers who broke into the Seoul Bike (Ddareungi) public bicycle system run by the Seoul Metropolitan Government and leaked information on more than 4.5 million subscribers have been handed over to prosecutors. They were in middle school at the time of the crime, and one of them reportedly told investigators he stole the personal data to show off. Police are also examining whether they may have intended to sell the information.
The Seoul Metropolitan Police Agency (SMPA) Cyber Investigation Division announced on the 23rd that it had referred two male teenagers, identified only as A and B, to prosecutors without detention on charges of violating the Information and Communications Network Act, including illegal intrusion into an information and communications network.
A and B are accused of breaking into the Seoul Bike server operated by the Seoul Facilities Corporation between June 28 and 29, 2024, and stealing about 4.62 million items of personal information, including user IDs and mobile phone numbers. The leaked data also contained email addresses, home addresses, dates of birth, gender, and weight. Names and resident registration numbers were not included, according to investigators. Which specific data fields were exposed varied from subscriber to subscriber.
The two met through social media and were confirmed to have been middle school students at the time of the offenses. After B discovered a vulnerability in the Seoul Facilities Corporation server, he suggested to A that they break into it, and the crime was carried out when B proposed downloading the personal data. Both A and B are said to have taught themselves hacking techniques.
B also faces charges of disrupting business operations by launching what is known as a Distributed Denial of Service attack (DDoS attack) against another shared mobility company’s server. Between April 9 and 13, 2024, he allegedly sent about 470,000 mass requests to the server, hindering its equipment rental services.
Separately, police are conducting a preliminary inquiry into a case in which the Seoul Metropolitan Government, on the 9th of this month, asked for an investigation of officials at the Seoul Facilities Corporation on suspicion of violating the Personal Information Protection Act in connection with their responsibility for managing personal data.
Earlier, police launched an investigation after receiving a complaint in late April 2024 from a shared mobility company about a DDoS attack. In early October of the same year, they identified B as the attacker, arrested him, and seized computers and other electronic devices. During forensic analysis in July last year, investigators found a file believed to contain Seoul Bike subscriber data and expanded the probe. A detailed analysis allowed them to identify a Telegram Messenger account that had led the data leak, and after a technical trace, they arrested A, the user of that account, late last month and seized his electronic devices.
Police said they twice sought arrest warrants for A, who refused to make a statement, but prosecutors declined to request them from the court, citing his status as a juvenile. B reportedly told investigators that his motive was to show off his skills. At a press briefing, a police official added, "Although it is only an assumption at this stage, we suspect there may also have been an intention to sell the personal information."
Police plan to work with the Personal Information Protection Commission (PIPC) to draw up measures to prevent a recurrence and to focus on blocking secondary damage. A police official urged, "Please exercise particular caution with contacts or financial transaction requests from unclear sources to prevent becoming a victim," and added, "If you detect any attempted harm, report it to investigative authorities immediately so you can receive assistance."
jyseo@fnnews.com Seo Ji-yoon Reporter