Maximum Fine Under Previous Personal Information Protection Act
1014GB of Litigation Documents Leaked
Chairman Ko Hak-su of the Personal Information Protection Commission is presiding over the first plenary session of 2025 held on the afternoon of the 8th at the Government Seoul Office in Jongno-gu, Seoul. Provided by the Personal Information Protection Commission
A court was fined over 200 million won for having lawsuit-related documents stolen by a hacker group presumed to be affiliated with North Korea due to a lax security system.
The Personal Information Protection Commission announced on the 9th that it decided to impose a total fine of 207 million won and a penalty of 6 million won on the Court Administration Office for violating personal information protection regulations. It also announced the related details and recommended improvements to enhance the level of personal information protection measures by inspecting the safety measures across the entire protection system, including the operation system of the personal information processing system, organization and personnel, and related regulations.
This fine is the largest ever imposed on a public institution subject to the Personal Information Protection Act before its amendment. Based on the Personal Information Protection Act, which has been enforced since September 2023 after the amendment, the Korea National Council on Social Welfare, which suffered a data breach exposing personal information of 1.35 million members due to hacking, was fined the highest amount of 483 million won.
According to the investigation by the Personal Information Commission, the Court Administration Office opened and operated ports (network communication channels) to allow mutual access between the internal and external networks for user convenience. From June 2021 to January 2023, hackers who infiltrated through these ports leaked 1,014 gigabytes (GB) of lawsuit-related documents stored on the electronic litigation server. The actual infiltration date is known to be before January 7, 2021, and the hacking group is presumed to be 'Lazarus,' affiliated with North Korea.
Analysis of 4.7GB of files restored from the total hacked data by the police confirmed the names, contact information, and addresses of 17,998 people, including their resident registration numbers. The police began an investigation in December last year and confirmed through searches such as seizing the Supreme Court's Computer Information Center that a large amount of data was leaked to four domestic servers and four overseas servers. It was found that most of the leaked data had been deleted from the servers over time. Since only a portion of the data was restored, the actual damage is expected to be greater.
The Court Administration Office was also found to have not encrypted lawsuit documents containing resident registration numbers while storing and keeping lawsuit-related documents on the electronic litigation server. They also used the initial easily guessable passwords for the Internet AD server administrator account managing the Internet Virtualization PC users and Internet Virtualization System accounts, which are used in a virtualized internet environment like work PCs. Basic safety measures were also insufficient, such as operating the 'Internet Virtualization Web Server' located on the internal network without installing security programs like antivirus software.
In February 2023, the Court Administration Office detected malicious files and conducted a self-investigation of the breach, and in April of the same year, they recognized signs of personal information leakage on the court's network. However, it was confirmed that the personal information leakage was reported and related notices were posted on the website only in December of the same year. Notifications of the leak via mail and text messages were made between June and August last year. According to current law, personal information processors must report to the Personal Information Commission within 72 hours after becoming aware of a personal information leak.
A representative of the Personal Information Commission said, "Public institutions handling large amounts of personal information must strictly comply with mandatory safety measures such as installing and operating security programs and applying security updates to various operating systems."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
