Personal Information Commission Approves Measures at Full Meeting on June 11
System Vulnerabilities Present Since Initial Implementation
Negligent Monitoring During Weekends and Nights
Jeonbuk National University and Ewha Womans University have been fined a total of 966 million won in administrative fines and 5.4 million won in penalties after the personal information of tens of thousands of individuals was leaked due to insufficient safety measures.
The Personal Information Protection Commission held a general meeting on June 11 and decided to impose an administrative fine of 623 million won and a penalty of 5.4 million won on Jeonbuk National University, where the personal information of 320,000 people was leaked. Ewha Womans University, where information on approximately 83,000 people was leaked, was fined 343 million won.
The commission's investigation found that vulnerabilities had existed in the academic information systems of both universities since their initial implementation. It was also confirmed that proper monitoring to detect and block illegal external access was not conducted during nights and weekends, meaning the universities neglected their safety obligations.
In the case of Jeonbuk National University, in July last year, a hacker infiltrated the academic administration information system using injection (database command injection) and parameter (input value) manipulation attacks. Through this, the hacker stole the personal information of more than 320,000 individuals, including approximately 280,000 resident registration numbers.
The hacker exploited a vulnerability on the password recovery page of the academic administration information system to obtain student ID information. Using this, the hacker accessed personal information by manipulating parameters and conducting random entries approximately 900,000 times on pages such as the academic record inquiry page.
Jeonbuk National University only recognized the abnormal surge in traffic, which occurred during weekends and nights, after a significant delay. The Personal Information Protection Commission has issued a corrective order requiring the university to establish a continuous monitoring system and has also recommended disciplinary action against those responsible.
In September last year, a hacker infiltrated Ewha Womans University's integrated administration system and stole the personal information of approximately 83,000 individuals, including their resident registration numbers. It was also revealed that, since the system was built in November 2015, vulnerabilities had existed and that the university had neglected monitoring during weekends and nights, resulting in insufficient measures to control illegal external access.
The commission stated that, from last year until the end of May this year, there have been 21 reports of personal information leaks at universities nationwide. Accordingly, the commission plans to request the Ministry of Education to take measures to strengthen personal information management in academic information management systems at universities across the country and to consider reflecting related matters in university evaluations.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
