Data of 5,000 Startup Founders Leaked in South Korea Government Competition Hack

Tech News

There’s a particular kind of dread that comes when a targeted ad knows something it shouldn’t. For roughly 5,000 startup founders in South Korea, that dread became real this month — and it’s now clear their data was stolen, not guessed.

South Korea’s “National Startup Competition” (모두의 창업) — a large government-run program — confirmed a data breach on June 17. The competition had drawn about 63,000 applicants, but the breach exposed the personal information, startup idea summaries, and review comments of roughly 5,000 first-round selectees. All of that data was accessed and copied by an unauthorized party.

The breach came to light in an unsettling way. Multiple advancing contestants suddenly received marketing emails from consulting firms offering help with government startup grants. The emails didn’t just make a pitch — they correctly referenced each recipient’s nickname and selection status, details that were never publicly disclosed. For recipients, there was only one explanation: their competition data had been sold or shared without authorization.

Initial suspicion fell on an internal vendor. But as the investigation unfolded, a different picture emerged. According to the Korea Ministry of SMEs and Startups, the root cause appears to be a hack on an AI solution provider that was working with the competition. The attackers bypassed backend authentication and used abnormal API calls to access encrypted data in the system.

The Ministry, working with the Korea Internet & Security Agency (KISA) and the National Police Agency, is now investigating nine suspicious IP addresses that accessed sensitive data. The full scope of the leak — how much data was taken, by whom, and whether it has already been sold — has not yet been determined.

This is the kind of breach that cuts deep for early-stage founders. A startup idea, whether it won funding or not, is a piece of intellectual property that can’t be un-leaked. And the targeted marketing campaign that exposed the breach suggests the stolen data is already being actively exploited.