Personal Information Commission and KISA Release Report on Personal Information Leakage Trends
Hacking Cases Increase by 20... Techniques Include SQL Injection and Credential Stuffing
Reports from Public Institutions Rise Due to Stricter Reporting Standards
More than half of the personal information leakage incidents that occurred last year were caused by hacking. The number of personal information leakage reports from public institutions more than doubled compared to the previous year.
The Personal Information Protection Commission and the Korea Internet & Security Agency (KISA) announced on the 20th that they have published the report titled "2024 Personal Information Leakage Report Trends and Prevention Methods," which analyzes the personal information leakage incidents reported throughout 2024 and includes preventive measures based on the causes.
According to the report, a total of 307 leakage reports were received last year, showing a similar level to the 318 cases in 2023. The cause of leakage was hacking in 56% (171 cases), accounting for the highest proportion. This was followed by work negligence at 30% (91 cases) and system errors at 7% (23 cases). While the number of hacking cases increased by 20 from 151 cases the previous year, leakage incidents caused by work negligence (116 cases → 91 cases) and system errors (29 cases → 23 cases) decreased.
Among the types of hacking incidents, abnormal access to administrator pages (23 cases), SQL injection (17 cases), malware (13 cases), and credential stuffing (9 cases) were reported in that order. Cases with unidentified causes (87 cases) also accounted for nearly half. SQL injection is a technique that maliciously manipulates SQL commands used to query data to extract information. Credential stuffing is a technique that uses already obtained account information to attempt logins on other sites using the same credentials.
Leakage types caused by work negligence were mostly due to mistakes. Posting personal information files on bulletin boards or group chat rooms accounted for 27 cases, sending emails to multiple recipients simultaneously accounted for 10 cases, and mistakenly attaching personal information files in emails or official documents accounted for 7 cases.
Among leakage incidents caused by system errors, source code application errors (14 cases) accounted for more than half, and there were also cases (8 cases) where personal information was exposed to unauthorized persons due to API (Application Programming Interface) linkage errors.
By institution, reports of leakage from public institutions more than doubled. Last year, leakage reports from public institutions accounted for 34% (104 cases), a significant increase from 41 cases the previous year. The Personal Information Protection Commission explained that this was due to the raised reporting standards for public institutions under the revised Personal Information Protection Act enacted in September 2023. According to the revised law, public institutions must report if one or more cases of sensitive or unique identification information are leaked. Previously, only leaks affecting 1,000 or more people were subject to reporting. In fact, 68% (71 cases) of the leakage reports from public institutions last year involved fewer than 1,000 cases.
By detailed public institution category, central administrative agencies and local governments accounted for 42%, universities and education offices 41%, and public institutions and special corporations 17% of the leakage reports.
Leakage reports from private companies accounted for 66% (203 cases), a decrease compared to 277 cases the previous year. By institution type, small and medium-sized enterprises accounted for 60%, overseas businesses 12%, associations 12%, mid-sized companies 11%, and large corporations 5%.
The Personal Information Protection Commission emphasized in the report that to prevent personal information leakage caused by credential stuffing attacks, protective measures must be established to detect and block repeated input of IDs and passwords on personal information input pages. They also added that policies to block SQL injection attacks through the installation of web application firewalls (WAF) are necessary.
To prevent personal information leakage caused by work negligence, it is necessary to check whether sensitive personal information such as resident registration numbers is included when uploading materials to bulletin boards or websites. When sending emails, the default setting should be for individual sending functions, and passwords and file encryption should be set on work devices containing personal information, the Personal Information Protection Commission advised.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
