Last year, more than half of the reported causes of personal information leaks were attributed to hacking. Hacking specifically targeted the management pages of public institutions and corporations.
According to the report titled '2024 Personal Information Leak Reporting Trends and Prevention Methods,' released on the 20th by the Personal Information Protection Commission and the Korea Internet & Security Agency, 56% of the 307 leak reports received from the two organizations last year were caused by hacking. Under the Personal Information Protection Act, all personal information processors are required to report any leaks to the Personal Information Protection Commission within 72 hours of becoming aware.
Reports of leaks caused by hacking increased from 151 cases in 2023 to 171 cases in 2024. The proportion of such reports also rose from 48% to 56% during the same period. Among the types of hacking incidents, 'abnormal access to management pages' was the most common, with 23 cases.
Subsequently, incidents included 'SQL injection' (17 cases), where malicious hacking code is injected to exploit security vulnerabilities in web pages and take control of databases, followed by 'malicious code' (13 cases) and 'credential stuffing' (9 cases), where user account information collected from other sites is randomly inputted to attempt logins. Unresolved incidents (87 cases) accounted for over half. Additionally, 30% (91 cases) were attributed to workplace negligence and 7% (23 cases) to system errors.
By type of reporting agency, 66% were private corporations and 34% were public institutions. Reports of leaks from public institutions more than doubled from 41 cases in 2023 to 104 cases last year. In terms of specific public institutions, central administrative agencies and local governments accounted for 42%, universities and educational offices for 41%, and public institutions and special corporations for 17%.
The Personal Information Protection Commission emphasized that measures must be established to detect and block repeated attempts to input IDs or passwords to prevent personal information leaks caused by credential stuffing attacks. It is also necessary to implement policies that can detect and block SQL injection attacks, such as installing web application firewalls.
Additionally, to prevent personal information leaks due to workplace negligence, it was advised to check whether sensitive information, such as resident registration numbers, is included when posting materials on boards or homepages, and to set the individual recipient forwarding function as the default when sending emails.