It has been revealed that personal information such as resident registration numbers stored on the websites of public institutions is being exposed to search engines due to poor site management. In particular, it has been confirmed that a simple combination of search terms enables users to search for member information that administrators must log in to see, and that internal documents posted by local governments can be easily downloaded.

Over a ten-day period beginning Nov. 2, the Hankyoreh conducted an analysis of personal information exposures found through the Google search engine. The results showed exposures of personal information such as resident registration numbers on the sites of some 20 organizations, including the central government’s Public Information Office (PIO) and various local government and universities.

In the case of PIO, a search turned up the resident registration number of a business owner who received an environment assessment from the Ministry of Environment, which was included in the Sept. 2007 newsletter. Similarly, a 2004 announcement on the selection of a child-care service provider in a bulletin on the Daegu City website showed the resident registration number for the owner of the selected business. The Ministry of Land, Transport and Maritime Affairs also revealed the resident registration number of a business operator in a Sept. 2009 announcement on the designation of a business for channel marking supplies.

More sensitive information has also been exposed. In the case of the Dual Use Technology Center at the Agency for Defense Development, resident numbers and personal details were exposed for 11 researchers participating in technology development. The state’s integrated network exposed the resident registration number that one individual wrote on a petition, as well as information about a member of that individual’s family who is in prison. A search also turned up internally posted information and resident numbers on the home page of the National Police Agency’s center for missing children.

It was also possible to download internal materials in their entirety. A search turned up the registration numbers of 640 people registered with an area construction business on the Donghae City home page, and resident numbers for 272 people who filed protests on individual housing prices in 2005 came up on the Yangpyeong County website.

The situation was the same for university home pages. From the Sogang University site, it was possible to download a list of reservists that included resident numbers, military serial numbers and cell phone numbers for 476 people. The Yonsei University site had resident registration numbers for participating researchers on a patent application notification submitted by the Industry-Academy Cooperation Foundation. It was confirmed that this information had been left untouched for periods ranging from two or three days to two months.

Experts are saying that the basic reason personal information has been exposed like this is because public institutions are taking little care with security while constructing their home pages. In other cases, employees carelessly expose personal information while writing documents, or sensitive information inadvertently posted by people submitting appeals is not treated in a secure manner.

Jo Yeong-deuk, deputy director of the consulting team at AhnLab, an internet security company, said, “Even after an administrator logs in, he or she has to set the security for each page and put in place authentication procedures every time data is updated.” Jo commented, “When they fail to do this, it is less because of expenses or limitations in their ability and more because they do not concern themselves with security.”

Additionally, even though the Ministry of Public Administration and Security (MOPAS) announced that it had built a permanent 365-day-a-year monitoring system as of last year, the frequent cases of exposure to Google searches have some observers questioning whether this system is flawed.

Heo Jang-nyeong, an Internet security expert, said, “Ordinary citizens are basically unaware that their information has been exposed, and if they cannot be properly notified, they will be helplessly exposed to crimes such as voice fishing.” Heo added, “For several years now, whenever there has been a parliamentary audit and inspection, the government’s incomplete monitoring system is mentioned, but there still have not been improvements made.”

In response, Lee Pil-yeong, head of the personal information protection division at MOPAS, said that while it is difficult to eliminate 100 percent of exposures, they have been reduced considerably, from 10 percent in 2007 to 0.7 percent in 2009. Lee added, “Basically, each institution needs to engage in thorough management, and the MOPAS has been adopting measures such as punishing employees at these institutions when it is discovered that their carelessness has led to the exposure of personal information.”

Please direct questions or comments to [englishhani@hani.co.kr]