[Exclusive] 1 million personal information in an instant... cracked-up companies

<Anchor>

The government inspects the security system every year because places that people use a lot, such as hospitals and banks, may be subject to hacking attacks.

Experts, so-called white hackers, are testing whether hacking is really possible, and we have obtained the results of inspections over the past three years.

Reporter Eom Min-jae was the sole reporter.

<Reporter> This

is a large hospital in Seoul.

White hackers stayed for two weeks in May of last year and directly infiltrated major security facilities.

As a result, we were able to obtain personal information such as the patient's social security number, address, and mobile phone number through an unmanned terminal kiosk that accepts medical treatment.

The amount of personal information obtained by the white hacker alone reached 997,000.

Even the patient's medical photos could be viewed through the hospital shared folder with insufficient security settings.

[Hospital official: (The result of the hacking) The corrective action was finished the next day, but (from the Ministry of Science and Technology) came to the site once again and finally saw it and did it the second time, so that's what happened...

.]

It was confirmed that a railroad company in Gyeonggi-do was able to take over the 'administrative authority' of the railroad control network, and it was possible to forcibly terminate the control network server using this.

[White Hacker: Accessible things, data leaks or…

.

In the case of (hacker) friends with a certain level of skill, there are parts that can be done similarly enough.]

As a result of the annual hacking test conducted by the Ministry of Science and ICT on major companies in the medical, financial, transportation and telecommunication fields, security vulnerabilities ranging from 21 to 123 were revealed over the past three years.

Identity verification agencies were able to access confidential information or gain administrator rights by infiltrating internal networks through PCs in conference rooms, even in data centers handling major securities companies and Internet account information.

The problem is that even after identifying such a critical vulnerability, the Ministry of Science and Technology cannot immediately demand remedial action.

This is because there are no legal regulations that can force private companies to follow up.

[Park Seong-joong / People's Power Rep.: to warn that (security) is weak, take measures to fix it, and prepare legal grounds to take stronger measures for security...

.]

(Video coverage: Jeon Gyeong-bae, Yang Doo-won, Lee Sang-hak, video editing: Ha Seong-won, CG: Lee Hyeon-jeong)

---

<Anchor>

Reporter Eom Min-jae who covered this content is here.

[Reporter Eom Min-jae: These documents I brought are the results of the Ministry of Science and Technology.

7 companies per year for the past 3 years, all over 800 pages.

These companies were concerned about actual hacking damage as the supplementary vulnerabilities were exposed, so the company names were covered and reported.]

[Reporter Eom Min-jae: These private companies are in charge of major national functions such as healthcare, finance, transportation, and communication.

The problem is that if you are actually hacked, the damage can go beyond the theft of personal information.

As can be seen from this data, it was possible for a railway company to enter the internal control network and stop the server, which could lead to a movie-like chaos.

Experts say that if the internal network of a financial company is hacked, the market can be disturbed by incorrect orders, etc., and hacking of a telecommunication company can cause personal eavesdropping as well as communication paralysis.]

[Reporter Eom Min-jae: The government and public institutions are responsible for cyber security at the National Intelligence Service and the Ministry of Industry.

These ministries have the power to enforce follow-up remedies after the hacking test, which is usually completed within a month.

However, the security of major private institutions is managed by the Ministry of Science and Technology.

However, the Ministry of Science and Technology did not have the authority to directly order supplementary measures, so all they had to do was check in writing whether follow-up measures were taken after a year.

As reported above, only some companies, such as hospitals, are being supplemented, but there is a need to force complementary measures as the hacking damage does not depend on the public or the private sector.

The Ministry of Science and Technology also announced that it would revise the Information and Communication Infrastructure Protection Act to this effect.]