Thousands of South Korean officials' information on the Internet
Technorati Tag: Security Breach
Date Reported:
8/22/08
Organization:
Republic of Korea
Contractor/Consultant/Branch:
The Ministry of Education, Science and Technology
Board of Audit and Inspection
The Ministry for Food, Agriculture, Forestry and Fisheries
The Ministry of Public Administration and Security
Victims:
Government officials
Number Affected:
7,723
Types of Data:
"names of government agencies, department titles, work status, names and social security numbers." also "work status, mobile phone numbers and personal IDs" of some civil servants
Breach Description:
"The personal data of thousands of officials has been leaked, the government said yesterday, including social security and phone numbers, and personal IDs to access the government data base and raising fears over identity theft."
Reference URL:
The Dong-a Ilbo (English)
The Dong-a Ilbo (Korean)
Report Credit:
The Dong-a Ilbo
Response:
From the online source cited above:
The personal data of thousands of officials has been leaked, the government said yesterday, including social security and phone numbers, and personal IDs to access the government data base and raising fears over identity theft.
[Evan] I don't post as many breaches from overseas as I do from the US. The primary reason for this is disclosure and media coverage. Organizations in many other countries are not required to disclose breaches and media reports are not as prevalent.
The Education, Science and Technology Ministry said the personal information files of 7,617 officials who took online education in April was accidentally posted on its Web site, affecting dozens of agencies such as the Board of Audit and Inspection, prosecutors’ offices and the Agriculture, Fisheries and Food Ministry.
The files contain the names of government agencies, department titles, work status, names and social security numbers.
[Evan] Do Koreans have social security numbers? I think they have national identification numbers. They serve roughly the same purpose, I suppose.
The Education Ministry discovered the flaw Monday in a security system check as part of Ulchi Freedom Guardian, an annual computer joint military exercise between Korea and the United States.
The files were immediately deleted from its home page but it was still possible to download the files on certain Web search engines until early yesterday.
Thus the personal information of thousands of officials was left online until the flub was discovered almost two weeks later.
An information security analyst at the ministry said, "A security worker discovered the file downloading was possible on Google and deleted the entire source code from the server."
[Evan] The security worker may be able to delete the information from the Education Ministry server, but certainly not from Google's servers. If personal information is found in Google cache, Google will remove it immediately upon formal notification. The process can be found , but don't forget to check Yahoo!, Microsoft Live Search, etc.
the personal information of Public Administration and Security Ministry officials was also leaked
The files are said to contain information on department titles, work status, mobile phone numbers and personal IDs for a database of 106 civil servants at state universities such as Seoul National University.
the leaked information was originally filed for internal use
A security analyst at the Education Ministry said, "I`ve never heard that such information was leaked on the Internet. We have yet to figure out the original source of the leak."
Certain IT experts say the fundamental reason for the leak was the failure to install a security filtering system that automatically filters personal data when it is posted on its server.
[Evan] I don't agree with these "certain IT experts". I think that a "security filtering system" would help to control this from happening again, but I don't think that the lack of a "security filtering system" was a fundamental reason for the leak. Granted, details are not readily available, so we can only speculate. Other and more likely fundamental reasons could include poor change control, poor employee training & awareness, or poor information security governance in general.
The Education Ministry confirmed that its budget allocated for the purchase of a personal information filtering system this year was postponed to next year, leaving its system server vulnerable.
[Evan] Budget cuts are more common when information security reports up through IT channels. Not to say that this is the case here.
Commentary:
We don't have many details about this breach. We know that private information was posted to a publicly accessible web site (or directory). We don't know how it got there. We don't know how long it was there. We don't have details about how it was found. We don't know what the Education Ministry plans to do in order to prevent similar occurrences.
Information security is a universal issue affecting people from around the globe. As long as information has value, it needs protection. The amount of protection should be commensurate with it's value and risk of loss. Something like that anyway
. You get the picture, right?
Past Breaches:
Unknown
Date Reported:8/22/08
Organization:
Republic of Korea
Contractor/Consultant/Branch:
The Ministry of Education, Science and Technology
Board of Audit and Inspection
The Ministry for Food, Agriculture, Forestry and Fisheries
The Ministry of Public Administration and Security
Victims:
Government officials
Number Affected:
7,723
Types of Data:
"names of government agencies, department titles, work status, names and social security numbers." also "work status, mobile phone numbers and personal IDs" of some civil servants
Breach Description:
"The personal data of thousands of officials has been leaked, the government said yesterday, including social security and phone numbers, and personal IDs to access the government data base and raising fears over identity theft."
Reference URL:
The Dong-a Ilbo (English)
The Dong-a Ilbo (Korean)
Report Credit:
The Dong-a Ilbo
Response:
From the online source cited above:
The personal data of thousands of officials has been leaked, the government said yesterday, including social security and phone numbers, and personal IDs to access the government data base and raising fears over identity theft.
[Evan] I don't post as many breaches from overseas as I do from the US. The primary reason for this is disclosure and media coverage. Organizations in many other countries are not required to disclose breaches and media reports are not as prevalent.
The Education, Science and Technology Ministry said the personal information files of 7,617 officials who took online education in April was accidentally posted on its Web site, affecting dozens of agencies such as the Board of Audit and Inspection, prosecutors’ offices and the Agriculture, Fisheries and Food Ministry.
The files contain the names of government agencies, department titles, work status, names and social security numbers.
[Evan] Do Koreans have social security numbers? I think they have national identification numbers. They serve roughly the same purpose, I suppose.
The Education Ministry discovered the flaw Monday in a security system check as part of Ulchi Freedom Guardian, an annual computer joint military exercise between Korea and the United States.
The files were immediately deleted from its home page but it was still possible to download the files on certain Web search engines until early yesterday.
Thus the personal information of thousands of officials was left online until the flub was discovered almost two weeks later.
An information security analyst at the ministry said, "A security worker discovered the file downloading was possible on Google and deleted the entire source code from the server."
[Evan] The security worker may be able to delete the information from the Education Ministry server, but certainly not from Google's servers. If personal information is found in Google cache, Google will remove it immediately upon formal notification. The process can be found , but don't forget to check Yahoo!, Microsoft Live Search, etc.
the personal information of Public Administration and Security Ministry officials was also leaked
The files are said to contain information on department titles, work status, mobile phone numbers and personal IDs for a database of 106 civil servants at state universities such as Seoul National University.
the leaked information was originally filed for internal use
A security analyst at the Education Ministry said, "I`ve never heard that such information was leaked on the Internet. We have yet to figure out the original source of the leak."
Certain IT experts say the fundamental reason for the leak was the failure to install a security filtering system that automatically filters personal data when it is posted on its server.
[Evan] I don't agree with these "certain IT experts". I think that a "security filtering system" would help to control this from happening again, but I don't think that the lack of a "security filtering system" was a fundamental reason for the leak. Granted, details are not readily available, so we can only speculate. Other and more likely fundamental reasons could include poor change control, poor employee training & awareness, or poor information security governance in general.
The Education Ministry confirmed that its budget allocated for the purchase of a personal information filtering system this year was postponed to next year, leaving its system server vulnerable.
[Evan] Budget cuts are more common when information security reports up through IT channels. Not to say that this is the case here.
Commentary:
We don't have many details about this breach. We know that private information was posted to a publicly accessible web site (or directory). We don't know how it got there. We don't know how long it was there. We don't have details about how it was found. We don't know what the Education Ministry plans to do in order to prevent similar occurrences.
Information security is a universal issue affecting people from around the globe. As long as information has value, it needs protection. The amount of protection should be commensurate with it's value and risk of loss. Something like that anyway
. You get the picture, right?Past Breaches:
Unknown
Posts Atom 1.0
Comments