The Ministry of the Interior and Safety has been ordered to pay 273 million won in fines and 7.5 million won in administrative penalties after large-scale personal data leaks occurred at "Government24," the government's integrated administrative service portal, and other systems.
According to the Personal Information Protection Commission (PIPC) on Saturday, the commission's plenary meeting on Thursday resolved to impose a combined 546.6 million won in fines and 12 million won in administrative penalties on five entities that violated the Personal Information Protection Act: the Ministry of the Interior and Safety, the Rural Development Administration (RDA), the National Institute of Agricultural Sciences, the National Institute of Animal Science, and Misotech. The RDA was fined 168 million won, while Misotech, a personal data processing contractor for the RDA and its affiliated organizations, was fined 82.5 million won along with 4.5 million won in administrative penalties. The National Institute of Agricultural Sciences was fined 23.1 million won, and the National Institute of Animal Science was issued a corrective order.
The PIPC's investigation found that the Ministry of the Interior and Safety leaked the personal information of a total of 1,233 individuals due to system development errors and lax management of security vulnerabilities.
In April 2024, the ministry leaked users' personal information after errors occurred in the source code development process for civil documents linked to the Ministry of Education's NEIS (National Education Information System) and tax payment certificates from the National Tax Service, which are issued through Government24.
In May last year, an incident occurred in which other people's issuance status could be looked up due to a vulnerability in the identity authentication module of the "Resident Registration Card Issuance Status Inquiry Service" on the Government24 website. In addition, files of officials in charge attached to the work bulletin board of "Gongyunuri," a public resource opening and sharing system, were exposed on Google's search engine. The leaked information included not only names and affiliated institutions but also school records containing grades and attendance, as well as unique identification information.
The Ministry of the Interior and Safety also recognized the leak on April 1, 2024, but only notified the affected parties between the 11th and 22nd of the same month — far exceeding the legal reporting and notification deadline of 72 hours. It was also found that the ministry omitted "Metabuild," a contractor for outsourced work, from its personal information processing policy for about eight months.
Misotech, a personal data processing contractor for the RDA and its affiliated organizations, was hacked through its network-attached storage (NAS) device in April last year, exposing data on the dark web. The leaked data totaled approximately 575,000 records on a duplicate basis, including names, addresses, contact information, email addresses, workplace information, and farm information.
Misotech had stored the entrusted personal information without authorization from May 2020 to April last year. The investigation found that the company operated its system in a state accessible from external IP addresses, with access controls so lax that login was possible using only the administrator account's ID and password.
The RDA and other entrusting agencies were found to have neglected the management and supervision of contractors. After service projects ended, they merely received a "data non-retention confirmation letter" from Misotech on paper, without actually checking whether personal information had been properly destroyed on laptops or external hard drives.
