South Korea to inspect call centers after major data breach

SEOUL, SOUTH KOREA — South Korea’s privacy regulator has launched a sweeping review of outsourced call centers across multiple industries after a delivery app data breach exposed serious gaps in how companies handle customer information. 

According to a report from Seoul Economic Daily, the move follows allegations that a customer service agent misused personal data for criminal activity, raising concerns over outsourced workforce security and digital privacy safeguards.

The Personal Information Protection Commission (PIPC) said it will carry out inspections after a case involving a food delivery platform highlighted vulnerabilities in access control systems. 

Authorities are now widening scrutiny to determine whether similar risks exist across other service sectors that rely heavily on subcontracted customer support operations.

Delivery app breach triggers nationwide investigation

According to police, a customer service agent working at an outsourced call center for Baedal Minjok, South Korea’s leading food delivery app, “was found to have accessed customer personal information, including home addresses, unrelated to work duties and used the data for criminal purposes.”

Investigators said the agent allegedly transmitted sensitive customer information to a criminal network that organized so-called “revenge attacks” via Telegram. 

The individual reportedly received tens of millions of won in exchange for the stolen data, exposing how personal information can be weaponized when improperly managed.

The PIPC said it sees “an urgent need to review the overall system governing access to and management of personal information through call centers.” 

The inspections will span five sectors: delivery services, home shopping, online shopping, rental services, and wired telecommunications.

Focus on access control and subcontractor oversight

Regulators will examine whether companies are properly limiting employee access to personal data, updating or revoking permissions when roles change, and preventing account sharing. 

The review will also assess “the status of access log retention and review” as well as “the state of training, management and supervision of subcontractors,” according to the PIPC.

The agency said the goal is to “identify and address deficiencies preemptively through the focused inspections” and impose corrective measures where necessary, signaling a more aggressive stance on data governance in outsourced environments.

Outsourcing model under renewed scrutiny

The incident underscores growing concerns about the outsourcing model widely used in South Korea’s customer service industry and beyond. 

While outsourcing offers cost efficiency and scalability for fast-growing digital platforms, it also introduces complex risks when third-party workers are granted access to sensitive user data. 

As regulators tighten oversight, companies may face pressure to redesign access systems, strengthen monitoring, and rethink how much control can safely be delegated outside core operations.