Song Kyung-hee (송경희), chair of the Personal Information Protection Commission, bangs the gavel at the commission's second plenary meeting of 2026 at the Government Complex Seoul in Jongno district, Seoul, on the afternoon of Jan. 28.

South Korea's Personal Information Protection Commission held a plenary meeting on Jan. 28 and imposed an administrative fine and penalty on the Korea National Research Foundation for violating personal data protection rules.

The commission said its investigation following a personal data leak report confirmed violations of the Personal Information Protection Act in the online paper submission system operated by the Korea National Research Foundation, known as the Journal&Article Management System, or JAMS.

The commission said that on June 6, 2025, a hacker exploited a vulnerability in the URL for the "Find password" function on JAMS society pages. The hacker manipulated parameters and used random email guessing to view personal information of about 120,000 JAMS members, covering 44 items such as names, IDs, email addresses, mobile phone numbers and bank account numbers.

The investigation found the vulnerability had existed since 2013, and the foundation failed to detect and fix it for a long period, leading to the leak. The foundation checked only the JAMS portal for vulnerabilities and did not conduct vulnerability checks for the roughly 1,600 society pages, it found.

It also found the foundation did not properly carry out leak notifications, including by omitting highly identifying items such as mobile phone numbers, bank account numbers and researcher registration numbers from the leak notice issued on June 12.

The foundation does not collect or use resident registration numbers, but 116 cases of such numbers were leaked after some members voluntarily entered them in the JAMS "Remarks" field. Before the leak, the JAMS web firewall detected resident registration numbers, which are 13 digits, but the foundation treated them as false positives and did not take follow-up steps such as verifying the facts.

The investigation found the foundation continued operating the system after the hack without sufficient system improvements. It said secondary damage occurred on June 17, including the impersonation of JAMS members' identities, showing shortcomings across the overall personal data protection system.

The commission judged the leak to be a very serious incident, citing the long failure to detect and fix vulnerabilities, poor overall personal information protection management and the realization of secondary damage in the form of identity impersonation. It imposed an administrative fine of 703 million won and a penalty of 4.8 million won on the foundation for violating its duty to take protective measures and for inadequate leak notifications.

The commission requested that relevant ministries, the Ministry of Science and ICT and the Ministry of Education, strengthen inspections of JAMS management and operations. It said it would also continue to provide guidance to strengthen duties to take protective measures for major public institutions and to help create incentives for active investment in personal information protection by affiliated agencies.

Keyword

#Personal Information Protection Commission #Korea National Research Foundation #JAMS #Ministry of Science and ICT #Ministry of Education
Copyright © DigitalToday. All rights reserved. Unauthorized reproduction and redistribution are prohibited.