The Personal Information Protection Commission imposed a 703 million won penalty surcharge and 4.8 million won in fines on the National Research Foundation of Korea (NRF), where personal information of about 120,000 people was leaked due to a hack of the online paper submission system (JAMS).
The Personal Information Protection Commission said on the 29th that it held a full meeting on the 28th and resolved to do so in light of the foundation's violation of personal information safety measures and its inadequate implementation of leak notifications.
An investigation found that in June last year, a hacker exploited a vulnerability in the "find password" function on a society page within JAMS, using parameter tampering and random email insertion to view the personal information of about 120,000 members. The leaked information included 44 items in total, such as name, ID, email, mobile phone number, and bank account number.
JAMS is an online paper submission and review system operated by the National Research Foundation of Korea (NRF), consisting of a portal and 1,617 society pages. It was found that if the email address included in the internet address (URL) of the find password page was arbitrarily changed, the personal information screen would be exposed even without entering all required values.
The Personal Information Protection Commission pointed out that although the vulnerability had existed since 2013, the foundation failed to detect and fix it for an extended period. The foundation conducted checks only on the portal and did not separately inspect the numerous society pages.
In addition, in the process of notifying about the personal information leak, the foundation omitted some key leaked items, such as mobile phone numbers and bank account numbers, and thus did not properly carry out the notification. A total of 116 resident registration numbers that some members arbitrarily entered in the remarks field were also leaked.
It was found that even after the hacking incident, operations continued without sufficient system improvements, leading to secondary damage from identity theft in members' names, and the post-incident response was also inadequate.
Determining the incident to be a serious personal information leak, the Personal Information Protection Commission ordered a penalty surcharge and fines, along with a vulnerability inspection across JAMS, re-notification, a recommendation to discipline those responsible, and publication of the disposition results.