The Court Administration Office, which leaked personal information of nearly 18,000 citizens including resident registration numbers and marriage certificates to North Korea, will face a penalty surcharge of over 200 million won. This is the largest amount ever for a public institution based on the criteria before the revision of the Personal Information Protection Act.
Analyses suggest that the scale of the revealed leak accounts for only about 0.4% of the total leaked data, indicating that the actual leaked personal information could be hundreds of times greater.
The Personal Information Protection Commission noted on the 9th that it held its '1st General Meeting' the previous day and voted to impose a penalty surcharge and corrective order of this scale on the Court Administration Office for violating the Personal Information Protection Act.
According to the investigation by the Personal Information Protection Commission, it was revealed that the Court Administration Office opened a network communication channel called 'port' to allow interconnection between internal and external networks for user convenience.
Exploiting this gap, hackers intruded and leaked 1014 gigabytes (GB) of data containing a large number of documents, including handwritten statements, marriage certificates, and medical records, stored on the internal electronic litigation server.
According to police, a hacker group known as 'Lazarus,' under North Korea's Reconnaissance General Bureau, hacked the court's computer system and transmitted about 1014GB of court data to four domestic servers and four overseas servers from at least Jan. 7, 2021, to Feb. 9, 2023.
An analysis of 4.7GB of files recovered from the police investigation revealed personal information of 17,998 individuals, including resident registration numbers. Specifically, it included 2,010 resident registration numbers, 15,000 names, 2,300 birth dates, 2,000 contact numbers, and 10,089 litigation-related documents.
Considering that the restored scale accounts for only 0.46% of the total leakage, the Personal Information Protection Commission explained that it cannot be ruled out that the actual number of personal information leaks may exceed the confirmed scale by over 250 times.
It was revealed that the Court Administration Office failed to encrypt litigation documents containing resident registration numbers while storing them on the electronic litigation server.
The initial passwords for the Internet AD (virtual system account) server administrator account and the Internet virtualization PC handler account were easy to guess and were used as they were.
It was also pointed out that basic safety measures, such as not installing security programs like antivirus software on the 'internet virtualization web server' within the internal network, were inadequate.
Additionally, the Court Administration Office recognized signs of personal information leakage in April 2023 but only reported this fact and posted a related notice on its website in December of the same year, about eight months later.
As a result, the Personal Information Protection Commission decided to impose a penalty surcharge of 207 million won and fines of 6 million won on the Court Administration Office and to publicly announce the relevant details.
The penalty surcharge imposed on the Court Administration Office is the largest among public institutions based on the criteria before the revision of the Personal Information Protection Act in September 2023.
Including after the revision, the highest penalty surcharge for a public institution was 480 million won imposed on the Korea Social Welfare Council, which leaked personal information of 1.35 million individuals, last September.