Teens Charged Over Seoul Bike Share Breach Exposing 4.6 Million Users' Personal Data

South Korean prosecutors are pursuing criminal charges against two teenagers accused of breaching Seoul's public bicycle rental system, exposing sensitive personal information belonging to 4.62 million users. The Seoul Metropolitan Police Agency's Cyber Investigation Unit confirmed the charges this week against minors identified only as Person A and Person B, who allegedly executed the attack on the Ttareungyi service in June 2024 while still in middle school.

The compromised data includes highly sensitive rider information: user IDs, phone numbers, physical home addresses, email addresses, dates of birth, genders, and even weight measurements. With Ttareungyi reporting approximately 5 million total registered users, this breach affected roughly 90% of the service's customer base. Police stated Person A executed the technical attack that accessed the data repository, while Person B proposed downloading and stealing the information.

Authorities charged both individuals under South Korea's Information and Communications Network Act, which governs data protection and cybersecurity violations. While neither teen is currently detained pre-trial, police twice sought detention for Person A – requests denied due to their juvenile status. The case has now been formally referred to prosecutors who will determine sentencing.

According to investigative findings, the pair connected via Telegram due to shared interests in information security. Person B reportedly told police they executed the breach to test and demonstrate technical skills, while Person A invoked their right to remain silent during questioning. Notably, investigators uncovered the Ttareungyi breach while probing a separate April 2024 DDoS attack on a private mobility company allegedly orchestrated by Person B. Digital evidence seized during that investigation revealed connections to the bike-share breach.

Police emphasize there's no evidence the stolen data was leaked or sold, though investigators believe profit motivation existed. The Seoul Facilities Corporation – the government-owned operator of Ttareungyi – was notified in January 2026 about impending scrutiny of its security practices. This incident underscores critical vulnerabilities in public transportation systems storing sensitive user data and raises questions about juvenile involvement in sophisticated cybercrime. It also highlights how seemingly innocuous services like bike-sharing collect extensive personal profiles attractive to attackers.

Legal experts note this case will test South Korea's approach to underage cyber offenders amid growing global concerns about teen hacking. The breach represents one of Asia's largest publicly disclosed transportation data compromises, affecting nearly every Seoul resident who used the popular bike-share service.