Data sharing between apps risks personal information leaks

Jul 09, 2026, 09:21 am

print page small font big font

facebook share

tweet share

/ Personal Information Protection Commission

A series of personal information leak incidents have been occurring through Application Programming Interfaces (APIs), which connect platforms such as websites and smartphone applications. While data linkages for user convenience are expanding, the actual management of these interfaces is being neglected. In response, the government has urged business operators to tighten API authorization management and personal data protection measures.


According to the Personal Information Protection Commission (PIPC) on July 8, personal data leaks through APIs have become a recurring issue as domestic and international businesses increasingly utilize them.


An API serves as a conduit allowing different applications or systems to share data. It is widely used in everyday services such as simple payments, authentication, and partner service integrations. In fact, 57% of all traffic passing through Cloudflare, a major internet network provider, goes through APIs, making them an essential infrastructure in the digital space.


The problem is that these APIs frequently verify only whether a user is logged in, while failing to validate their actual authorization to access and query specific personal information. Furthermore, personal data that is not immediately required for service delivery is often included in API response data. This means that sensitive information, which users do not need to provide, is transmitted in bulk without their knowledge.


Under these circumstances, malicious actors can extract large volumes of personal information simply by making abnormal API calls. They exploit the flaw where the system checks only a user's login status but fails to verify their access rights to the data. Indeed, when a leak of approximately 20,000 data records occurred last month during the Ministry of Startups and SMEs' "Startups for All" project, one of the participating firms extracted information, including email addresses, via specific API calls. At the time, applicants' personal data on the "Startups for All" platform was structured and transmitted through API responses, leaving it highly vulnerable to exposure.


Consequently, the PIPC emphasized that the principle of personal data minimization must be strictly observed right from the API design stage. Information that is not necessary for delivering the service must be excluded from API response data, and repeated API calls that lack authorization or violate policies must be blocked.


In addition, it has become crucial to continuously identify and update the list of operational APIs. Operators must check whether APIs that can be called externally still remain active even after service reorganizations or tests are completed, ensure that no unnecessary information is included, and delete them if necessary. "Credentials such as keys and tokens should be issued individually to each person in charge, and the scope of data being queried or transmitted must be restricted depending on the specific situation," the PIPC urged.


                                                                                                           Kim Hong-chan

#Data breach 
Copyright by Asiatoday