Sunchonhyang University and Kyungsung University have been fined for failing to address known security vulnerabilities in their systems, which resulted in the leakage of personal information of students and staff. The Personal Information Protection Commission announced on the 14th that these universities violated privacy protection laws and imposed a total fine of 235.8 million won and additional penalties amounting to 6.6 million won.
Sunchonhyang University was fined 193 million won and issued corrective orders and recommendations. Similarly, Kyungsung University faced a fine of 42.8 million won with recommendations for improvements.
The personal information of about 500 people, including students and faculty, was leaked due to an exploitation of a WebLogic vulnerability on Sunchonhyang University’s website. The hacker installed a malicious file (web shell) to steal personal information, which was then distributed on social media platforms. The investigation revealed that Sunchonhyang University had not applied the security patches for the WebLogic vulnerability released by Oracle in October 2017. Additionally, the university failed to properly configure firewall and intrusion prevention systems, and did not encrypt internal storage containing personal data, like resident registration numbers.
Kyungsung University experienced a similar breach of its comprehensive information system (Kyungsung Portal), with around 2,000 students’ personal information being leaked. This university also had not applied necessary security patches.
It is presumed that the same hacker attacked both universities due to their failure to address longstanding vulnerabilities in the WebLogic within their personal information processing systems. The Personal Information Protection Commission has stressed the importance of implementing security programs, conducting updates, and continuously monitoring for unauthorized access to prevent such incidents, especially given the extensive amount of personal data processed by universities.