It was revealed that the 24-hour hacking monitoring system at the National Research Foundation of Korea (NRF), where personal information of 120,000 scientists was leaked due to hacking in June, was not properly operational. There are also no proper measures in place to compensate for the hacking damages, citing budget constraints.
According to the National Assembly and the foundation on the 22nd, the National Assembly Research Service held a meeting earlier this month to discuss legislative tasks aimed at strengthening information security at the National Research Foundation of Korea (NRF). Officials from the NRF and the Ministry of Education, as well as the National Assembly Research Service, attended the meeting.
The National Research Foundation of Korea (NRF) reported that the online paper submission review system (JAMS) was hacked last month, resulting in the leak of personal information of 120,000 scientists. At that time, personal information of 12,2954 individuals among the 790,000 JAMS users had been compromised. All personal information entered during membership registration (name, ID, date of birth, mobile phone number, workplace, account, etc.) was leaked, including the resident registration numbers of 116 individuals.
On June 17, ten days after the hacking occurred, it was confirmed that 1,559 victims had been unauthorizedly enrolled in a specific academic society using their names. This confirms the secondary harm of identity theft.
During this meeting, the specific causes of the large-scale hacking incident at the National Research Foundation of Korea (NRF) were revealed. The NRF stated that the Cyber Safety Center conducts integrated monitoring 24 hours a day, allowing them to detect hacking immediately. However, the NRF became aware of the hacking incident at 9:45 a.m. on June 6, seven hours after it occurred. Even that was only because a suspicious report was received. The NRF reported the hacking incident to the Ministry of Science and ICT at 10:50 p.m., 20 hours after it occurred.
Regarding the delayed recognition, the NRF explained that it was due to 'lack of personnel.' Lee Won-deok, head of the information security team at NRF, stated at the meeting that they were unable to operate the 24-hour hacking monitoring system due to a shortage of manpower. In response, an NRF official noted, "Although the Cyber Safety Center is responsible for 24-hour integrated monitoring, they failed to recognize the hacking incident," adding, "Lee Won-deok's statement means that there is no separate hacking monitoring system at NRF apart from the Cyber Safety Center."
The NRF stated that it has formed a task force (TF) to establish measures to prevent recurrence following the hacking incident.
The compensation measures for victims are also inadequate. The NRF revealed during the meeting that it is considering temporarily lowering paper review fees as a form of compensation for the victims. This is a different approach from compensating in cases of other large-scale hacking incidents. In this regard, Lee Seok-rae, Secretary General of the NRF, noted during the meeting that as a public institution, it is difficult to secure a budget for compensation.
An NRF official stated, "We are reviewing various compensation measures, and lowering the paper review fee is among them."
The National Assembly Research Service pointed out serious vulnerabilities in the information protection systems of public institutions, including the NRF, and called for system improvements. Hwang Hyun-hee, head of the science, broadcasting, and communication team at the National Assembly Research Service, stated in the report 'Issues and Points' that there is a need to elevate the legal basis for cybersecurity diagnosis and inspection of public institutions to higher laws, while introducing sanctions and expanding the scope of information protection certification and disclosure obligations to public institutions. Additionally, she suggested considering a mandate for 'immediate notification upon recognition' in cases where high-risk information is leaked.
She also emphasized that a compensation system for hacking damage in public institutions must be established again. The leakage of personal information leads to identical damages, regardless of whether it is private or public, hence it is argued that an effective damage compensation system is needed for hacking incidents affecting public institutions.