SEOUL, July 1 (Korea Bizwire) — South Korea’s Personal Information Protection Commission (PIPC) has launched an investigation into global sandwich franchise Subway over allegations that its online ordering system left customer data exposed without proper security measures, raising renewed concerns about digital privacy across the country’s food delivery sector.
According to the PIPC, Subway’s website and mobile app allowed users to access other customers’ personal information simply by altering the numbers at the end of the URL, without requiring login credentials or verification. This flaw, known as a parameter manipulation vulnerability, mirrors a similar incident recently uncovered at Papa John’s Korea.
The exposed data reportedly included names, phone numbers, and order details, and may have been accessible for at least five months, according to Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee. The actual number of users affected remains unclear.
“This is a fundamental failure in security oversight,” said Kim Seung-joo, a cybersecurity professor at Korea University. “The fact that anyone could access someone else’s private information without authentication is a major breach, regardless of the scale.”
Subway confirmed the technical issue, claiming it has since been resolved. “We identified a potential exposure of limited customer data and immediately took steps to fix it,” the company said in a statement, adding that it found no evidence of malicious misuse and reported the issue to the Korea Internet & Security Agency (KISA).
The Subway case is the latest in a string of high-profile data breaches involving South Korean platforms. Earlier this year, Papa John’s Korea was found to have leaked even more sensitive data — including credit card numbers and building access codes — using the same URL vulnerability. Luxury e-commerce platform Mustit also came under fire after it was revealed that member information was retrievable without authentication.
The Personal Information Protection Commission (Image courtesy of PIPC)
The PIPC emphasized the need for stricter oversight, particularly in industries like food and beverage where personal data is integral to service delivery. A broader sector-wide investigation into data practices across food delivery platforms is currently underway, with findings expected later this year.
Under South Korea’s data protection laws, companies found to have mishandled personal information can face fines of up to ₩50 million or up to 3% of annual revenue. Precedents include ₩15.1 billion in fines for Kakao and ₩7.5 billion for Golfzon following previous breaches.
Despite these penalties, experts argue that enforcement remains inadequate. “Weak data protections have become a recurring issue, and it’s clear that more effective deterrents are needed,” said Choi.
Public anger is also mounting. “Even just leaking a phone number can lead to spam or scams,” said a 30-year-old Subway app user. “If they can’t manage the basics, how can we trust them with anything else?”
With online ordering now a routine part of everyday life in South Korea, lawmakers and regulators alike are calling for stronger data security frameworks and tougher consequences to restore public trust.
M. H. Lee (mhlee@koreabizwire.com)
