The Personal Information Protection Commission (PIPC) said Monday it imposed a combined 914.8 million won ($640,000) in fines on the Government Employees Pension Service (GEPS) and the Gangbuk District Office in Seoul for violating personal data safety obligations.
The PIPC held a plenary session Sunday and voted to impose the penalties on the two public institutions for breaching the Personal Information Protection Act.
At GEPS, an outsider accessed the agency's Pension Service Support System (now the Intelligent Pension Welfare System) between April 2022 and October 2023, illegally viewing personal data — including personnel record cards, income details and contribution payment records — of 1,036 government employees.
The PIPC's investigation found that GEPS approved all five access authorization requests without properly verifying the authenticity of submitted documents, despite suspicious circumstances such as missing applicant signatures, absent agency head seals and forged stamps.
GEPS also failed to promptly revoke system access for personnel who had been transferred or reassigned and no longer held pension administrator authority. The agency was additionally found to have neglected the retention and management of system access logs, as well as the review of login records for pension administrators at each institution.
The PIPC accordingly imposed a fine of 532 million won on GEPS and ordered disciplinary recommendations, public disclosure and a disclosure mandate.
At the Gangbuk District Office, a mass hacking incident occurred in March 2024. A hacker accessed the management page of the district's video information provision system and downloaded personal data — including names, authentication credentials and organizational affiliations — of 973 civil servants, including police officers.
Lax management was again the cause. The investigation found that the Gangbuk District Office failed to restrict access to its personal data processing system and did not apply secure authentication measures for external network connections, allowing the hacker illegal entry. The office also encrypted passwords using an insecure algorithm, failed to retain and manage access logs for data handlers for at least one year, and omitted certain required items in its breach notification to affected individuals.
The PIPC imposed a fine of 378 million won and an additional administrative penalty of 4.8 million won on the Gangbuk District Office. The commission also recommended corrective measures requiring the office to notify affected parties of the previously omitted items, and ordered public disclosure.
"The data breaches at these two institutions resulted from neglecting basic safety obligations under the Personal Information Protection Act," a PIPC official said. "We will use this case as an opportunity to continuously guide local governments to comply with their safety obligations, including ensuring that management pages for personal data processing systems are not exposed externally."