In light of the recent information leakage by three Korean banks, Kookmin, Nonghyup, and Lotte, the general public, including students, have become wary about the vulnerability of their personal information. Though many are not aware of it, KAIST students are relatively safe to such information leakages. Since KAIST is a government-funded institute, information is not usually disclosed to outsiders unless the school is legally obliged to do so or is formally requested by organizations, such as scholarship institutions, to reveal students’ profiles. Even at such requests, the school follows due process to assess any potential danger in providing the information, which is one of the reasons that there have not been any reported leakages in KAIST.

 

Furthermore, KAIST is no hotspot for hackers. The stats speak for themselves: whereas telecom and financial companies average 10 to 100 million leakages and exposures, KAIST manages 60,000 to 70,000 at most. Since the school holds almost no financial information of high significance, hackers do not have much incentive to penetrate the school’s defense mechanisms. Besides that, the majority of KAIST students would not have fallen victim to the recent information leakage by the financial institutions as the student cards were synchronized with Woori bank accounts, which was not one of the three card companies in question.

 

However, this does not mean KAIST is safe from data exposure; information leakage happens when data is leaked against one’s will. The school’s current weak spots are the 1,000 websites that it runs, as fragmented student information is peppered throughout these domains. Theoretically, one could scope through all of the sites and find enough information to put together a rudimentary version of a student’s profile. For instance, exam results are posted in the form of an Excel file that students can use to find the score corresponding to their student numbers. This presents major room for abuse since student A has access to student B’s grades if A knows B’s student number.

 

So, what must KAIST be doing to prevent such data exposure and leakages? For one, the system could be reconstructed so that students can access only their own personal information, such as grades after exams, but that only deals with the tip of the iceberg. KAIST currently adopts a highly inefficient way of website protection. The domain ports are initially all open but closed one by one. On the other hand, Seoul National University blocks all homepage ports from outer influence and opens it only upon information collection requests. KAIST’s Information and Communication Team (ICT) is planning to install a new stringent method of managing the hundreds of websites. If an external institution requests information, a software will be run to determine whether the website in question is vulnerable or not, and only after positive test results will they be open. When this policy comes to effect in July, 1,000 domain administrators will be appointed to overlook the websites and make sure none becomes obsolete. A time limit will be set on how long a domain can be active for. The domain’s administrator will have to file for an extension to keep the domain active even after the time limit has expired, upon which a checkup will be executed to verify whether the domain is safe to be continued.

 

The privacy laws set by the state and the policies put into effect by KAIST are the minimum protection for students’ personal information, but there is a limit to which policies and regulations can prevent the breach of privacy. First, it is imperative to introduce technology and infrastructure to complement human errors and shortcomings; one could have all of the state-of-the-art technology and still have his or her information leaked at the push of a wrong button. Furthermore, there should be active communication and discourse between students, faculty members, ICT (who deal with the technical side of policies), and human resources (who actually set the protective measures) to increase awareness of the privacy issues at stake.