The Personal Information Protection Commission held a plenary meeting on May 27 and decided to impose measures including fines and penalties on 4 public institutions and 1 contractor for violating the Personal Information Protection Act.

The Ministry of the Interior and Safety, the Rural Development Administration, the National Institute of Agricultural Sciences, the National Institute of Animal Science and contractor Misotech were penalised with fines and penalties.

The Interior Ministry caused 2 leak incidents while operating the integrated administrative services portal Government24. In April 2024, development errors in source code related to linked civil documents from the Education Ministry's NEIS and a National Tax Service tax payment certificate led to the personal information of 1,233 people being disclosed to others.

The cause was the omission of a corporate issuance test. In May 2025, 4 cases were viewed by others due to an authentication vulnerability in the resident registration card issuance status inquiry service. Personal data of 3,828 people was also exposed after a file of public parking lot staff posted on a work bulletin board on the ShareNuri website appeared in Google search results.

The Interior Ministry also notified people after more than 72 hours even though it had recognised the leak, and it was found to have omitted the contractor from its personal information processing policy. The commission imposed a fine of 273 million won and a penalty of 7.5 million won on the ministry, and decided on corrective recommendations, publication and a publication order.

A larger-scale leak occurred at the Rural Development Administration and its affiliated organisations. A hacker stole about 575,000 cases of personal data stored on a network attached storage device used by Misotech, which was contracted for system maintenance and management, and posted them on the dark web. The data included names, addresses, contact details and email addresses.

Misotech kept the entrusted personal data without authorisation on its own NAS for 5 years. The NAS was operated for 8 years in a state accessible from an external IP address, and could be accessed with only an administrator account ID and password. The Rural Development Administration also only received a "data non-retention confirmation" at the end of the contract and did not check whether the personal data was actually destroyed.

The commission imposed a fine of 82.5 million won and a penalty of 4.5 million won on Misotech, a fine of 168 million won on the Rural Development Administration, and a fine of 23.1 million won on the National Institute of Agricultural Sciences.

The commission plans to continue inspecting vulnerable factors in personal information protection that may arise in public sector information technology projects, share sanction cases with public institutions to minimise management gaps in outsourcing structures, and encourage stronger on-site management and oversight.