'Password Changes Without User Consent' Sparks Debate
Seo Samsuk: "Violation of Personal Information Protection Act... Responsibility to Be Examined"
Seosamsuk, member of the Democratic Party of Korea.
Controversy has arisen after it was revealed that the Rural Development Administration (RDA) changed user passwords en masse without obtaining consent from victims, following a hacking incident in which approximately 407,000 personal information records were leaked from the RDA’s official website.
According to audit materials submitted by Assemblyman Seo Samsuk of the Democratic Party of Korea (Yeongam, Muan, and Shinan in South Jeolla Province) on October 13, a large-scale personal information leak was confirmed across five RDA-operated websites, including the agency’s main homepage.
The breach began in April when a storage device inside the office of a company responsible for operating the RDA website was hacked. Subsequently, after subscriber information from the 'Chuksaro' website was leaked, an additional 479,000 personal information records were compromised on April 25. Excluding system duplicates, the number of actual affected accounts totaled 407,345.
Analysis of the addresses of approximately 210,000 affected accounts showed that, by metropolitan area, Gyeonggi Province had the most cases with 32,982 (15%), followed by North Gyeongsang Province (26,959), South Jeolla Province (25,710), and South Gyeongsang Province (22,220). At the municipal level, Cheongju (5,792), Suwon (5,075), Jeonju (4,326), and Yeosu (4,228) recorded the highest numbers of affected accounts.
The main issue lies with the RDA’s response after the incident. The RDA changed user passwords without obtaining consent from subscribers and failed to provide any separate notification to the victims. In response, the RDA offered the unconvincing explanation that this was due to a low password change rate among users.
Particularly concerning is the 'Comprehensive Rural Development Project Management System,' where 6,057 out of 18,146 accounts (33%) belonged to seniors aged 65 and older, raising serious concerns about the risk of secondary damage. Older users are more vulnerable to scams such as phishing and smishing.
Assemblyman Seo stated, "According to Article 39-3 of the Personal Information Protection Act, explicit consent from the data subject is required to change a password. Regardless of the intent, it is clearly prohibited by law for a data processor to arbitrarily change someone else’s password. We will thoroughly examine the legality and responsibility of this action during the upcoming audit."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
