South Korea’s privacy watchdog imposed a fine on the Korea Employment Information Service (KEIS) for their lack of safety measures to block unauthorized access to the national employment platform which led to the private information of 230,000 users being exposed last year.
On January 25, the Personal Information Protection Commission (PIPC) stated that they imposed a fine of 8.4 million won ($6,300) on KEIS over privacy violations and ordered the public organization to improve its security practices. The decision was made during a plenary session held on January 24.
On July 6 of last year, the KEIS announced that Work-Net, a national employment platform with more than 9.7 million users, suffered a data breach that exposed more than 230,000 users’ data including names, gender, dates of birth, addresses, phone numbers, and work experiences. The public organization assumed that the break-in was conducted through credential stuffing, a method where the criminals use stolen login credentials and apply them until they successfully gain access to the victim’s account.
The PIPC confirmed the method as credential stuffing and explained that the attacker attempted to sign into the system 73.08 times per second on average from June 18 to July 5. The criminals used 26 different IP addresses, both local and foreign, and compromised 236,527 users’ private information in total. “Although there was evidence of intrusion starting June 18, the attackers succeeded in breaking into the system beginning June 29. Therefore, we believe that the attack was focused from June 29 to July 5,” explained an official of the general investigation division of the PIPC to The Readable.
The PIPC explained that although the KEIS employed a 24-hour surveillance and monitoring system, they did not implement enough security procedures to protect the users from credential stuffing, such as adopting a two-factor authentication system, which is a second layer of protection that requires users to enter an auto-generated code to sign in. “There is not a specific number of safety protocols to decide whether an organization or a company has failed to establish necessary safety procedures from abnormal internet traffic,” explained the official. “However, we take into consideration such factors as the number of users in each system. If there is a flow of traffic that exceeds the normal amount, we also look into judicial precedents (to decide whether it is a violation of the law).”
The KEIS said to The Readable that they will abide by the decision made by the privacy regulator. After the data breach, the KEIS quickly implemented enhanced security practices such as two-factor authentication and is in the process of establishing a cybersecurity control center, named the “Employment Network Cyber Security Center,” to protect users from novel cyberattacks around the clock. The KEIS plans to start its operation in late February after an initial trial run, which is scheduled to occur beginning early next month.
- Related articles: National employment platform exposed 230,000 users’ personal data
Notification: An error in the third paragraph has been fixed from “a national employment platform with more than 970 million users,” written in the previous article, to “a national employment platform with more than 9.7 million users.”
