Passwords Shared, Records Lost: The 300,000-File Adoption Data Scandal.
Who is managing NCRC, anyway?
Hankook Ilbo (Korea Times), “[Exclusive]
‘We opened the firewall. The password is…’ — 300,000 adoption records exposed due to security breach.”
Posted to Paperslip on April 1st, 2026.
Translation via ChatGPT.
BOLDS and blue highlighting ours.
Thanks to a Paperslip Contributor for the link.
Please note that we wrote the Paperslip Blog title for this post through ChatGPT to improve clarity.
"Hankook Ilbo (Korea Times)
[Exclusive] “We opened the firewall. The password is…” — 300,000 adoption records exposed due to security breach
By Reporter Won Dara
Published: April 1, 2026, 4:30 AM
Updated: April 1, 2026, 11:36 AM
“A public institution (Paperslip Note: NCRC) under South Korea’s Ministry of Health and Welfare that manages adoption records has been found to have provided external parties with login credentials for a system containing all adoption records—without proper procedures. It has also been revealed that the institution cannot even confirm what data the external party accessed. Additionally, the agency has lost track of a CD containing 300,000 adoption records. Sensitive data of adoptees has been comprehensively mismanaged.
According to materials obtained by Hankook Ilbo on March 31, an employee of the National Center for the Rights of the Child (NCRC) sent an external contractor login credentials—including ID, password, IP address, and port information—for the Adoption Case Management System (ACMS) database on July 23, 2021, describing it as a “security tool.”
The contractor was able to access the system from an external office without going through any additional security procedures. The company had been awarded a contract to digitize child welfare facility records and adoption data.
The problem is that it is virtually impossible to trace what information was accessed, how much was viewed or copied, or how any personal data may have been used afterward. When asked about approval procedures, access logs, and activity history, the agency responded, “There is no way to verify the situation at the time,” suggesting that proper safeguards were not in place.
This may also violate current laws. Under the Personal Information Protection Act, data handlers must minimize access permissions and maintain access logs to ensure data security. External contractors accessing internal databases are required to follow procedures such as account approval, logging access details, managing work history, and deleting data after completing tasks.
Internal documents from July 2021 already mentioned “security issues such as firewall concerns.” The employee involved admitted in a message to a colleague: “We opened access so their IP could connect to our server via email. There was no established procedure. It’s embarrassing.”
The adoption information system contains at least 300,000 records, including international adoptees, with some data dating back to the 1950s. The system includes highly sensitive personal information such as:
Child’s name, date of birth, and birthplace
Biological parents’ names, ages, and addresses
History of child welfare facilities and adoption agencies
Adoption timing, country, and procedural records
Health conditions and other personal details
These records reveal individuals’ birth backgrounds, family relationships, and life histories.
Even more concerning is that this is not an isolated incident. After a 2018 data migration project, the agency officially received a CD containing around 300,000 records—but cannot currently locate it. The CD included sensitive information from multiple adoption organizations.
It was also revealed that 14 out of 26 original external hard drives containing digitized adoption records from 2013 to 2022 have been lost. Some drives were stored without passwords, or with passwords written on notes attached to the devices—indicating a complete lack of basic security controls.
There are also concerns that lost data may still remain with outsourced contractors. By law, such data should be destroyed after project completion. However, during a 2024 parliamentary audit, it was revealed that certain child welfare records were missing, and the agency later retrieved them again from an external contractor.
Only in February 2026, after repeated media reports, did the agency post a notice on its website apologizing for a “suspected personal data loss (leak).”
Critics say these issues reflect a deeper, distorted perception of adoption within the institution. According to an advocacy group of adoptive parents, officials reportedly referred to children awaiting adoption as “inventory” and prospective adoptive parents as “test subjects” during a recent meeting. One official even used the term “consumption” to describe the matching process.
As the agency—now responsible for overseeing adoption under a public system—fails to properly manage even critical records, anxiety among adoptees and families is growing. Individuals who contacted the agency to ask whether their information had been leaked reportedly received no clear answers.
One adoptive parent who recently filed a civil lawsuit stated:
“I asked about the extent, scope, and type of damage related to the data loss (leak), but they responded ‘we don’t know’ or ‘we cannot tell you.’ That’s why I had no choice but to file a lawsuit. I hope they will provide clear answers.”’
Reporter: Won Dara (dara@hankookilbo.com)