The Personal Information Protection Commission imposed a total of 900 million won in penalty surcharge and fines on the Government Employees Pension Service and Gangbuk District Office in connection with personal information leaks caused by unauthorized viewing of personnel records and hacking.
On the 26th, the Personal Information Protection Commission said it resolved at the 5th plenary meeting held on the 25th to impose a 532 million won penalty surcharge on the Government Employees Pension Service, and a 378 million won penalty surcharge and 4.8 million won in fines on Gangbuk District Office.
An investigation found that from April 2022 to Oct. 2023, an outsider accessed the pension business system at the Government Employees Pension Service and viewed without authorization the personnel records, income, contribution payment history, and other data of 1,036 public officials.
The service approved authority applications without properly verifying them even when signatures or seals were missing on the forms or there were signs of forgery, and it failed to immediately revoke access rights for users who no longer needed them due to job changes. It was also confirmed that management and inspection of access logs were inadequate.
At Gangbuk District Office in March 2024, a hacker accessed the system administrator page and stole personal information, including the names, IDs, and passwords of 973 public officials such as police officers.
The district office allowed external access without IP restrictions or additional authentication, and was found to have failed to properly implement basic security measures such as using a weak encryption method and inadequately managing access logs. It was also confirmed that some items were omitted during the breach notification process.
The Personal Information Protection Commission decided to issue a recommendation for disciplinary action and to make the matter public for both institutions, and it requested Gangbuk District Office to resend the breach notification including the omitted items.
The Personal Information Protection Commission said it was an "incident caused by neglecting basic safety measures" and urged public institutions to strengthen their personal information protection management.