The Board of Audit and Inspection said simulated hacking of seven public systems that hold large amounts of personal information, carried out with white-hat hackers, showed that all could be breached. In some cases, it was effectively possible to check the resident registration numbers of the entire population.
The Board of Audit and Inspection released the findings of an audit titled "Status of personal information protection and management" on the 27th. The Board of Audit and Inspection mobilized 11 white-hat hackers working in the public institutional sector and conducted simulated hacking on seven of 123 public systems that hold large amounts of personal information.
As a result, in one system, the process of validating input values did not work properly, so repeated attempts allowed access to the resident registration numbers of 50 million people. Another system also failed to block abnormal queries, allowing the theft of information on 10 million members in just 20 minutes.
In another case, because critical information needed to access the system was not encrypted, if a hacker obtained administrator privileges, they could steal the resident registration numbers of 130,000 people.
The Board of Audit and Inspection did not disclose which seven public systems were involved or how the simulated hacking was conducted, citing the possibility of additional harm. It delivered the results of the simulated hacking to the heads of the agencies operating the systems and took corrective measures.
The Board of Audit and Inspection notified the chairperson of the Personal Information Protection Commission to draw up measures to strengthen safety, such as requiring annual analysis and assessment of security vulnerabilities against external hacking through a specialized institution.