The Korea National Council on Social Welfare disclosed a possible data breach that could affect more than one million volunteer workers, issuing a notification to users to change their passwords to prevent further damage.
On January 17, the Korea National Council on Social Welfare, which is an affiliate organization of the Ministry of Health and Welfare, said that the Volunteer Management System (VMS) suffered an intrusion on its website on January 7. VMS is a system where volunteers register their work in order to receive official certification for their efforts. It also works as a meeting place, connecting volunteer workers and recruiters. More than nine million volunteers are registered with the VMS.
The public organization discovered on January 12 that a hacker allegedly tried to manipulate users’ passwords by hacking into their system’s password retrieval function. They further discovered what seemed to be an attempt to extract users’ personal information. The Korea National Council on Social Welfare suspects that approximately 1.35 million users may have been affected, and personal data, including users’ names, birth dates, addresses, contact numbers, and email addresses, might have been compromised.
“We discovered the attacker’s activities the next day, on January 8, and took necessary measures right away,” stressed an official of the information systems team at the Korea National Council on Social Welfare. “However, during the investigation process, we discovered a possible data breach of users private information. We have issued notifications and reported the breach to the appropriate authorities.”
The public organization posted an initial notification on January 15 on its official website, stating that they have blocked the IP address that is suspected to have been used by the attacker and gone through additional vulnerability assessments on their websites.
The Readable requested comment about possible reasons motivating the attacker’s intrusion. The official said that there was a vulnerability in the VMS; however, the official did not disclose further details, explaining that the case is still under investigation.
Meanwhile, South Korea’s privacy agency is looking into the extent of the breach. “We received a report about the incident last Saturday,” said an official of the Personal Information Protection Commission. However, the official did not disclose further details as the agency is undergoing investigation.