An audit has found security vulnerabilities in government public systems that hold personal information on many citizens.

The Board of Audit and Inspection on Tuesday released the results of an audit of the protection and management of personal information.

According to the board, 95.5 percent of personal information leaks in the public sector from 2021 to 2024 were caused by external hacking, while intentional leaks by internal staff accounted for just 0.1 percent.

The board pointed out that the Personal Information Protection Commission did not establish sufficient measures against external hacking even as it drew up measures in 2022 to prevent public-sector personal information leaks.

The board said it included 11 white-hat hackers working in the public sector in the audit to check for vulnerabilities. It selected seven systems with large volumes of personal information from 123 public systems under the commission and conducted mock hacking.

It found that personal information theft was ultimately possible in all seven systems. That meant there were security vulnerabilities. In one system, key information needed for access was not encrypted, allowing theft of the resident registration numbers of 130,000 people if a hacker obtained administrator privileges.

In another system, a hacker could check the resident registration numbers of 3,000 people by manipulating customers' search information. In other cases, resident registration number lookups for 50 million people were possible through unlimited repeated attempts, or member information for 10 million people could be stolen within 20 minutes because abnormal queries were not blocked.

The board did not disclose specific audit details, citing concerns such as the risk that methods of stealing personal information could spread. It also said it had informed the agencies operating the seven systems during the audit period and that remediation has already been completed.

Separately, the board said it also confirmed cases showing management loopholes, such as failing to revoke access rights for retired staff in systems including the Gyeonggi Provincial Office of Education's education administration information system, the information linkage system for four major social insurance programmes, the social security information system and the regional public health and medical information system.

The board also called for improvements across the overall response measures for personal information leaks.

It first said that in 306 of 320 cases from 2021 to 2025 in which personal information was leaked in large volumes, the information may have been exposed on the internet for an average of 81 days, and as long as 838 days. It pointed to a problem in which leaks could not be confirmed in time due to failures by relevant institutions to report.

The board said the commission was passive in setting up procedures to require the institution to confirm whether there was a leak and submit investigation results, and notified it to prepare improvement measures.

It also notified the commission to prepare improvement measures such as encrypting mobile phone numbers so that even if personal information is leaked it is not used for crimes such as spam and voice phishing. It also told the commission to improve the quality of the "Find My Leaked Information" service, which allows people to check for themselves personal information illegally distributed on the dark web.

[Yonhap]