A major cybersecurity breach has been uncovered, with North Korean hackers successfully extracting at least 1 terabyte (TB) of personal data from the South Korean court’s computer network. In response to this incident, the judiciary has belatedly initiated a research project to explore encryption methods for personal information in litigation records.
On July 3, the South Korean Supreme Court announced a public competitive bidding process for a project titled “Research on Encryption Methods to Enhance the Security of Electronic Litigation Records,” according to reports from the Korea Online E-Procurement System and legal circles on Tuesday.
The project has a budget of 90 million KRW (approximately 65,500 USD) and is scheduled to run for three months from the contract signing date. However, the timeline may be adjusted through mutual agreement based on the project’s progress.
In the request for proposals, the South Korean Ministry of Court Administration explained that when litigation documents are submitted to the court in paper form or through affiliated agencies, they undergo digitization before being stored in the electronic litigation system. They also noted that the Personal Information Protection Commission had criticized the court for violating the Personal Information Protection Act by failing to encrypt resident registration numbers within these stored documents.
This research initiative appears to be a delayed response to the penalties imposed on the court following the data breach.
Law enforcement reports indicate that Lazarus, a hacker group associated with North Korea’s Reconnaissance General Bureau, infiltrated the court’s computer network and exfiltrated approximately 1,014 GB of court data over two years from January 7, 2021, to February 9, 2023.
The compromised documents included a wide array of sensitive litigation materials, such as handwritten statements, marriage certificates, and medical reports. Police investigations revealed that 4.7 GB (0.5%) of the leaked data contained personal information of 17,998 individuals, including their resident registration numbers.
In January, the Personal Information Protection Commission levied a fine of 270 million KRW (about 196,500 USD) and an additional penalty of 6 million KRW (approximately 4,200 USD) against the South Korean Ministry of Court Administration for violating the Personal Information Protection Act. This fine was the largest ever imposed on a public institution under the previous legal standards.
The Ministry of Court Administration clarified that unique identification numbers categorized as resident registration numbers are encrypted separately within the electronic litigation system. However, the issue arose when these numbers were included directly in litigation documents, leaving them unencrypted.
The Ministry of Court Administration emphasized the need for technical solutions that maintain user convenience and system performance while complying with the encryption requirements of the Personal Information Protection Act. They noted that encrypting entire litigation documents could lead to performance issues during record retrieval, potentially hampering user efficiency.
In a related development, the Ministry of Court Administration reportedly rejected a government-mediated proposal to compensate a victim of the recent data breach with 150,000 KRW (about 110 USD). This individual’s personal information, including name, age, family relationships, occupation, and income data, was reportedly leaked from documents submitted during an individual rehabilitation process.