The personal information access log management system at the Institute of Information & communications Technology Planning & Evaluation (IITP), a research and development (R&D) management agency under the Ministry of Science and ICT, was hacked. It came just seven months after a hacking incident late last year. The fallout is expected to be significant because the breach occurred at a core agency that oversees Korea's information and communications technology (ICT) R&D programs and manages national research and development budgets and researcher information.
According to the industry on the 15th, the Institute of Information & communications Technology Planning & Evaluation (IITP) had its personal information access log management system hacked on the 6th of this month. After a recent Ministry of Science and ICT security inspection, a staffer at IITP's system maintenance company reportedly entered "allow" instead of "block" for the personal information access log management system on one of several switches that protect the firewall itself. A basic lapse in administrator security measures at a specialized agency managing national ICT research and development led to the incident.
The Institute of Information & communications Technology Planning & Evaluation (IITP) manages a national ICT R&D budget totaling 1.8996 trillion won this year, including 1.3256 trillion won for technology development and 574 billion won for talent cultivation. Because the system centralizes the personal information of researchers affiliated with universities, corporations, and institutions, as well as research project information, it requires a much higher level of security management than a typical information system.
This is the IITP's hacking incident in just seven months. On Dec. 17 last year, the Institute of Information & communications Technology Planning & Evaluation (IITP) suffered an external hacking attempt that leaked some employee personal information. While files allocating duties by department were being transmitted and used via email, persistent advanced persistent threat (APT) attacks from outside led to data being leaked. The personal information items leaked at the time were employees' affiliations, ranks, names, office phone numbers, and job responsibilities.
Although Hong Jin-bae, president of the Institute of Information & communications Technology Planning & Evaluation (IITP), said in April this year that he would "create an environment where researchers can immerse themselves in innovation," the hacking incident in the institute's own system that manages researcher personal information and research and development data has prompted criticism that security management, the foundation of the institute's research environment, must first be strengthened.
The Institute of Information & communications Technology Planning & Evaluation (IITP) said it is still investigating whether information was leaked by the hacking, as well as the scope and type. IITP is checking access logs to determine whether other information was exfiltrated. An IITP official said, "A hacking breach was confirmed, so we completed a report to the Personal Information Protection Commission, and even after an initial forensic examination, the access record logs did not show what information was leaked, so the solution developer that built the log system is determining through the logs what information was leaked," adding, "We are checking whether databases such as researcher personal information were taken."
With repeated hacking incidents, criticism of the security management system is inevitable. Moreover, while the late-year hacking involved internal employee information, this incident concerns log records of researchers and project participants accessing from outside, not inside, making the situation different.
The hacking occurred on the 6th of this month, and the report was not filed until the 9th, according to accounts. Under the Personal Information Protection Act, personal information controllers such as corporations or institutions must report to the Personal Information Protection Commission within 72 hours if personal information of at least 1,000 data subjects is leaked, or if sensitive information or unique identification information is leaked.
A person familiar with internal affairs said, "Given the IITP's characteristics, its system service type targets the general public," adding, "It is also highly likely that information on researchers who have participated in R&D projects for years is included."
Following the hacking of the government startup support platform "Everyone's Startup," the attack has now reached the IITP's personal information access log management system, prompting calls to review the security management systems across public ICT platforms responsible for research and development and startup support.