hankyoreh

Personal records from workers at South Korea’s public institutions are available online through the search engine Google. If left uncorrected, there is potential for serious damage to the individuals whose information has been left unprotected, as the online records include not only basic information such as their resident registration numbers and addresses, but also tax and financial information.

A survey performed by the Hankyoreh with help from a security expert on January 28 confirmed more than 5,400 such cases. The information leakage was discovered at the Web sites of 452 public institutions, including the presidential office, central government agencies, the legislature and the judiciary, local governments, schools, and medical institutions.

If one knows the birthday of someone working at a public institution and the domain address of the Internet site of the concerned institution, one can easily access individual records through Google, as the first six digits of the national registration number is a person’s birthdate. In addition, as several people in one institution may share a birthdate, the same six digits may unlock at once the private information available to several people.

There are two kinds of data being leaked. The first are resident registration numbers and addresses posted on bulletin boards of public institutions. The second are individual records contained in internal documents of public institutions, which are supposed to be closed to the general public.

Even more alarming, for information on bulletin boards, people can also alter the records of others by entering the site using a "writer" mode or "user" mode. The presidential office and a regional office in Daejeon are good examples of public institutions whose bulletin boards are vulnerable to third party tampering via a "user" mode. Internal documents of public institutions can be downloaded through this same mode.

Most seriously, by using the first six digits of a public employee’s resident registration number, anyone can potentially access sensitive or confidential documents available to that person, even without using illegal means such as hacking or introducing viral spyware. In particular, at the Web site of the Ministry of Government Administration and Home Affairs, which is in charge of individual records from all public institutions, documents supposedly accessible using only the ID and password of related government employees were searched using just the first six digits of a government employee’s resident registration number. So far, 173 such cases have been confirmed. In addition, a list of about 500 job seekers was exposed via the Internet site of the Ministry of Labor’s employment security network.

"Such an occurrence is due to Google’s search technology meeting Korea’s individual information management system under the special circumstance of this country’s resident registration number system," said lawyer Kim Gi-jung. "It is necessary to perform an overall review of the nation’s information management system. Such exposures themselves are a problem, but it is doubtful whether Google, which is not incorporated in Korea, can swiftly cope with the matter," added the lawyer.

Please direct questions or comments to [englishhani@hani.co.kr]