CJ Group asked Seoul police to open a criminal probe after a Telegram channel posted the names, mobile numbers, job titles, internal phone numbers and photographs of about 330 of the company's female employees on May 18.
The company filed a complaint with the Seoul Metropolitan Police Agency on May 19 and said on May 20 that it had submitted the complaint the previous day, citing violations of the Personal Information Protection Act.
About 2,800 people were reportedly members or participants in the Telegram channel, which was created in 2023, and some of the exposed information appears to have been accessible through CJ Group's internal intranet, increasing the scale and sensitivity of the breach.
A CJ Group representative said, "We plan to fully cooperate with the police investigation," and added, "We have individually notified the affected employees and are implementing measures to prevent secondary damage."
The Seoul Metropolitan Police Agency's cybercrime investigation unit is handling the case. Police said they are tracking the operator of the Telegram channel and examining the timing of transactions and the size of sale proceeds tied to changes in channel ownership.
Records show ownership of the channel was traded for cryptocurrency in October 2025 and again in December 2025 through a platform that buys and sells channel ownership, a detail investigators are now probing to determine who profited and whether those trades link back to the person or persons who compiled the data.
Industry experts consulted after the leak suggested the exposure was more likely the work of an insider than an external hacker, a theory that gains weight from the fact that some of the information was viewable on CJ Group's internal systems. Police are therefore focusing on both the channel operator and possible internal access paths.
The leak has prompted immediate worries about secondary crimes. Victims and investigators raised the risk of voice phishing, deepfake misuse and other forms of harassment that use personal contact data and photographs. CJ Group has said it notified affected employees individually and is taking steps it described as aimed at preventing such secondary damage.
The case also touches on a regulatory question: current law requires reporting to the Personal Information Protection Commission in certain large-scale or sensitive-data breaches, but it had not been confirmed whether the leaked material met those thresholds. That unresolved status shapes what companies must disclose and how regulators will respond if the investigation finds more sensitive data was exposed.
Tension in the investigation lies in two conflicting facts: the apparent ease of access to some data via an internal intranet suggests an insider vector, while the transfer of the channel for cryptocurrency and its resale on a marketplace points to a commercial marketplace for stolen information operated beyond the company's walls. Those two leads push investigators in different directions at once.
For the roughly 330 women whose contact details and photos were posted, the immediate consequence is personal: individual notifications and company measures to limit follow-on harm. For police and regulators the urgent task is forensic — to trace cryptocurrency flows, identify the channel operator and determine whether internal controls were bypassed or misused.
The single most consequential unanswered question now is whether investigators can link the October and December 2025 cryptocurrency trades that changed ownership of the Telegram channel to a person or network with access to CJ Group's intranet; the answer will determine whether this will be prosecuted as an external criminal enterprise buying stolen data or as a case rooted in internal access failures.
