The Korea Herald

지나쌤

[Editorial] Data leak disclosure

Interior Ministry fails to announce private data leak in time, adding to public mistrust

By Korea Herald

Published : May 7, 2024 - 05:29

    • Link copied

The Ministry of the Interior and Safety on Sunday admitted that more than 1200 civil documents were erroneously issued to the wrong applicants last month, resulting in the exposure of sensitive private information -- a major cybersecurity breach that illustrates the weakness of a public online service and the poor handling of such incidents by a government agency.

The breach at Government24 (gov.kr), the government’s civil service portal that provides certification issuances and other document services for public use, involved a total of 1,233 documents. On May 1, the Interior Ministry noticed that 646 graduation and other certificates were wrongly issued. On May 19, the ministry spotted that 587 corporate tax payment certificates were issued to the wrong applicants.

Both incidents led to the exposure of sensitive personal data including names, addresses and resident registration numbers. The ministry said it deleted the wrongly issued documents and notified people involved of the data leaked via phone or mail.

The Interior Ministry said the program developer’s mistake is responsible for Government24’s error and reported the cases to the Personal Information Protection Commission, which is now investigating the data breach.

Given that Government24 attracts some 1.5 million users and issues 1.1 million public documents on a daily basis, the alleged program’s error linked to private information exposure should be taken as a serious incident. South Korea boasts of its e-government network systems, but these critical online networks are still vulnerable to glitches, which could lead to massive data leaks.

The Interior Ministry is also under fire for failing to promptly make public the major private data leak at the government’s civil service portal since it admitted to the incident occurring only after related media reports first came out Saturday.

It is also regrettable that the Interior Ministry on Saturday refused to reveal the exact details of the data breach, including dates, the number of leaked documents and the cause. As for a media report that 1,400 documents were leaked, the ministry said the scale is “smaller than that.” The ministry reportedly said, “The incidents took place in the past, and the issuance of documents has been normalized” -- a comment that appears to downplay the seriousness of the incident as a one-off or temporary glitch.

On Sunday, the ministry belatedly shared the details, only after public criticism mounted about its complacency regarding cybersecurity and negligence of its duty. It said it will develop a new graduation issuance verification program to prevent the recurrence of wrong issuances, and block errors in the issuance of corporate tax payment certificates by removing unnecessary data links.

It is common sense that if a major data leak happens through public sites, the government agency in question should immediately report the case to authorities, fix the errors and announce the details of the incident to the public without delay.

But Interior Ministry officials decided not to disclose the data breach in time and refused to reveal details even after related reports came out. Such evasive and irresponsible behavior by public officials in charge of crucial state online networks is feared to compromise the country’s cybersecurity.

Worryingly, the country’s public online systems have been hit by a series of glitches. The National Education Information System, or NEIS, has suffered multiple technical glitches since its launch in June last year. In November, the electronic administrative network for public workers, called Saeol, and the civil service portal, Government24, went down, paralyzing major administrative operations. In addition, the next-generation local tax system was launched in February, only to struggle with technical errors for a month.

To restore public trust in the state-run online services saddled with technical glitches, the government should fix the gaping holes in cybersecurity and step up rules on response procedures for data breaches.