Government24 Personal Data Leak Caused by Negligence: Ministry of the Interior and Safety Fined Over 200 Million Won
Four Public Institutions and Misotech Fined Over 500 Million Won
"Continuous Monitoring of Vulnerabilities in Public Sector Informatization Projects"
The Personal Information Protection Commission announced on the 28th that it has imposed a total of more than 500 million won in fines on four public institutions and their contractor (Misotech) for violating the Personal Information Protection Act, including the Ministry of the Interior and Safety. The Commission clarified the specific responsibilities for personal information leaks that occurred during public sector informatization projects, and decided to share these disciplinary cases with related organizations.
Song Kyung-hee, Chairperson of the Personal Information Protection Commission, is delivering opening remarks at the 10th plenary session of the Personal Information Protection Commission held on the afternoon of the 27th at the Government Complex Seoul. Photo by Personal Information Protection Commission
View original imageThe Ministry of the Interior and Safety was fined 273 million won and an additional 7.5 million won in penalty surcharges, along with corrective recommendations and an order for public disclosure, due to a personal information leak that occurred on Government24, the integrated administrative service portal. In April 2024, a total of 1,233 individuals’ personal information—including academic records, graduation certificates, names, dates of birth, and other details—was leaked on Government24 due to source code development errors in the Ministry of Education’s NEIS-linked civil petition documents and the National Tax Service’s tax payment certificates. In May 2023, vulnerabilities in the authentication system led to four cases of resident registration card issuance status (including one deceased individual) being accessed by unauthorized parties. Additionally, a file containing contact information for public parking lot managers posted on the Gongyoonuri website’s work board was exposed to Google search.
The Commission pointed out that the Ministry of the Interior and Safety was negligent in its oversight, such as omitting corporate issuance testing in the source code. It also failed to detect and address vulnerabilities in the authentication module used for the resident registration card issuance status inquiry service. Furthermore, the Commission noted that the Ministry did not notify about the NEIS-linked civil petition document leak within 72 hours after recognizing the incident, without any legitimate reason for the delay. It was also confirmed that the Ministry omitted the contractor, Metabuild, from its privacy policy.
The Commission also imposed fines totaling 273.6 million won and penalty surcharges of 4.5 million won on the Rural Development Administration, the National Institute of Agricultural Sciences, the National Institute of Animal Science, and Misotech. This was due to a hacking incident where Misotech’s network-attached storage (NAS)—used to manage and maintain systems commissioned by the Rural Development Administration and its affiliated institutions—was breached, resulting in the distribution of approximately 575,000 records (including duplicates) containing personal information such as names, addresses, workplace information, and science and technology identification numbers on the dark web.
An investigation revealed that Misotech not only stored the entrusted personal information on its own NAS without authorization but also operated the system in a way that allowed access from external IP addresses. The Rural Development Administration and related institutions, as the commissioning organizations, merely collected a ‘confirmation of not holding data’ document from Misotech at the end of the service contract, without verifying whether personal information stored on laptops, external hard drives, and other devices had actually been deleted. Moreover, they failed to monitor or control the contractor’s retention of personal information and its work environment, indicating a lack of proper management and oversight.
As a result, the Commission imposed a fine of 82.5 million won and a penalty surcharge of 4.5 million won on Misotech. The Rural Development Administration and the National Institute of Agricultural Sciences were fined 168 million won and 23.1 million won, respectively. Corrective recommendations and public disclosure orders were issued to all involved parties.
Hot Picks Today
"What Will Retail Investors Do With No Ammo Left?... Samsung Electronics and SK Hynix See Another Rosy Outlook"
- "Switching from Stocks to Savings?"... Up to 19.4% Annual Interest Rate Offered from June 22
- [Exclusive] Bought for 16.6 Billion Won from Kang Hodong, Sold to Noh Hongchul for 15.2 Billion Won: Even Hotspots Become Loss Sales... Gangnam Small Buildings Face 'Tearful Discounts' [Real Estate AtoZ]
- "My Stocks Alone Crashing in a Bull Market? Turns Out... 82% Are in the Same Boat"
- Trump Urged "Buy Quickly"...Stock Soared 39% Overnight
The Commission stated that it will continue to monitor for potential vulnerabilities in personal information protection arising during public sector informatization projects. The Commission emphasized, “When a leak occurs due to failures in securing the stability of personal information processing systems, the public institution responsible for the system bears liability under the law for violating the safety measure obligations.” It added, “Going forward, we will continue to share these disciplinary cases with public institutions to minimize oversight gaps in contractor relationships, and will promote stronger, field-oriented supervision and management.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
