Hackers breach all tested public-sector systems in Korean audit board's simulated cyberattack

Korea’s Board of Audit and Inspection found that hackers breached all seven public-sector systems tested in a simulated cyberattack, exposing serious weaknesses in the government's protection of large volumes of personal data.

The Board of Audit and Inspection said Tuesday that the findings came from penetration tests conducted with white-hat hackers and national security agencies. In one case, auditors were able to access resident registration numbers for nearly the entire population.

The results were released in an audit report on personal data protection and management. The on-site inspections took place in November and December 2024.

The tests were carried out jointly by the Board of Audit and Inspection, the National Security Research Institute and the Cyber Operations Command. The targets were seven of the 123 public systems designated by the Personal Information Protection Commission (PIPC) for intensive management, selected for their public-facing services and the large amount of personal data they hold.

In one system, the board said it was possible to query resident registration numbers and other information for around 50 million people — meaning that the resident registration numbers of virtually all citizens could have been stolen.

In another system, hackers could steal the data of 10 million members within 20 minutes. The board also said it identified a public system where critical information needed to access the system was not encrypted, allowing a hacker who obtained administrator privileges to steal the resident registration numbers of 130,000 people.  

Security vulnerabilities were found in all seven systems that were tested, allowing them to be breached.

The board said it notified the heads of the institutions operating the seven systems and that corrective measures had been completed. However, it decided not to disclose which systems were tested or the specific methods used.

“Disclosing them could make them targets for hackers and lead to even greater damage,” a board official said.

The audit also found instances in which retired employees were still able to access public systems. At the Gyeonggi Office of Education, about 3,000 contract teachers who had retired were able to continue logging into an education administration system because their access privileges had not been revoked.  

The PIPC has been pushing to link personnel records electronically so that access for employees who retire or transfer can be revoked in a timely manner, but the office was omitted from that linkage.

The board also pointed to low usage of the PIPC’s “Find My Leaked Info” (translated) service. As of 2023, only 1.7 percent of all internet users visited the service.

In addition, the board said that when personal information is leaked, the PIPC should take proactive steps to prevent secondary harm — such as requiring the affected site to reset user IDs and passwords — but the commission has responded passively, citing a lack of legal grounds.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.

BY YOON SUNG-MIN [kim.minyoung5@joongang.co.kr]