Teenagers charged over public bike service breach that exposed 4.62 million records

Two South Korean teenagers have been charged in connection with a cyberattack that compromised the personal data of 4.62 million users of Seoul’s public bike service, Ttareungyi.

The compromised data included user IDs, mobile phone numbers, addresses, dates of birth, gender, and weight.

According to the Cyber Investigation Unit of the Seoul Metropolitan Police Agency, the pair carried out the attack while still in middle school. They met on Telegram and bonded over a shared interest in information security.

Between June 28 and 29, 2024, the suspects accessed the Ttareungyi server operated by the Seoul Facilities Corporation and extracted the user database.

The breach followed an earlier attack in April 2024, when one of the suspects sent about 470,000 mass signals to overwhelm the servers of a private mobility rental company. During that incident, he identified security vulnerabilities in the Ttareungyi system and shared the information with the second suspect. The pair then agreed to download the data, the Seoul Economic Daily news outlet reported.

Police opened an investigation after receiving a complaint from the mobility company. A forensic review of seized devices later uncovered files containing Ttareungyi user information, leading authorities to identify and arrest both suspects.

In an unusual step, police sought arrest warrants twice for the minors. Prosecutors rejected both requests, citing their status as juvenile offenders.

Investigators found no evidence that the stolen data was shared with third parties.