A Total of 444.6 Million Won in Fines and Penalties Imposed
"Beware of Exploiting SSL-VPN Equipment Vulnerabilities"
The Personal Information Protection Commission announced on July 24 that, during its 16th general meeting, it imposed a total of 444.6 million won in fines and penalties on Haesung DS and Jeonnam Technopark for violating personal information protection regulations.
Haesung DS was fined 343 million won. This was because, in October 2023, an unidentified hacker exploited a vulnerability in Haesung DS's SSL-VP equipment to log into the VPN, access the internal network, and leak the personal information of 73,975 individuals stored on the internal file server to external sources. The leaked data included information on shareholders, executives and employees, as well as employees of partner companies. The hacker also distributed ransomware files to internal file servers and other systems, causing infections.
It was confirmed that, although the need for a security update for the SSL-VPN equipment had been announced by the manufacturer and the Korea Internet & Security Agency as early as June, Haesung DS failed to take action by the time of the hacking incident. While the hacker was carrying out the data breach, some of Haesung DS's systems did not have properly functioning antivirus software, and the company also neglected to operate effective malware prevention and treatment functions.
Jeonnam Technopark, a non-profit organization established jointly by the government, local governments, and the private sector to support small and medium-sized enterprises, was fined 98 million won and received an additional penalty of 3.6 million won. In November 2023, a hacker gained unauthorized access to the personal information processing system within the homepage (Jeonnam Science and Technology Information System) operated by Jeonnam Technopark, deleted the entire database, and left a ransom note (threat message) demanding money. At the time, the processing system contained the personal information of approximately 1,200 individuals, including names, mobile phone numbers, email addresses, and information on affiliated organizations.
According to the investigation by the Personal Information Protection Commission, Jeonnam Technopark used easily guessable IDs and passwords for accounts handling the processing system. User passwords were stored using the insecure MD5 encryption method, and passwords transmitted during login were not encrypted. Furthermore, the organization failed to restrict access to the processing system by IP address or other means, did not detect or block illegal access and attempts to leak personal information, and did not keep or manage access logs.
Additionally, Jeonnam Technopark became aware of the hacking incident on November 23, 2023, but reported the personal information leak more than 72 hours later without a valid reason. The fact was not posted on the homepage until December 1, a week after the incident.
A representative of the Personal Information Protection Commission stated, "Recently, there has been an increase in ransomware infections and personal information leaks, particularly in the manufacturing sector," and urged, "Businesses that handle personal information must conduct vulnerability checks and security updates for their services in operation, and take special care such as backing up and storing key files, including personal information databases, separately."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
