By Jung Da-hyun

Published May 11, 2026

Link to story

Data breach seen not just as security failure, but threat to identity, dignity

This image shows the main page of the National Center for the Rights of the Child (NCRC) website / Captured from NCRC website

A recent data breach at the National Center for the Rights of the Child (NCRC), exposing sensitive personal records of adoptees, is drawing criticism from overseas adoptee groups and raising questions about the agency’s credibility.

The breach, which the NCRC said occurred between April 30 and May 2, came to light when prospective adoptive parents checking their application status on the newly launched online tracking system discovered that other people’s adoption records were visible. The center notified affected individuals by email on May 3.

Overseas adoptees say the incident is part of a broader pattern of the agency falling short of international standards in safeguarding personal data and handling adoption records.

David Castlen, a Korean adoptee based in the United States and director of IT and cybersecurity at the United States Korean Rights Group (USKRG), said his individual breach notice — which he accessed on May 5 — showed it had exposed a wide range of identity-linked data, including his name, date of birth, photograph, adoption records, passport information, place of birth and information about his adoptive family.

“What concerns me most is the combination of identity data with adoption-related records,” Castlen told The Korea Times. “My notice was numbered 43, which suggests that at least dozens of individuals may have been affected.”

He added he has not yet experienced any direct secondary harm, but has noticed a rise in calls from unfamiliar numbers since the breach.

For adoptees, the implications go beyond a typical data leak. Accessing such records is often part of a long and emotionally complex process of tracing their origins and identity.

“For me, and for many adoptees, privacy is not just about security — it is about dignity and control over our own story,” Castlen said.

Castlen also highlighted the heightened stakes in his case, noting that he is currently seeking to restore his Korean citizenship — a step he described as reclaiming part of his identity — and questioning whether even that process can remain secure.

A notice sent by the National Center for the Rights of the Child to overseas adoptees / courtesy David Castlen

This is not the first time the NCRC has faced backlash over data security and mishandling personal information. The agency drew criticism in 2024 over its handling of sensitive information related to missing children and adoption records.

While the center has been expanding its online systems to improve the user experience, concerns persist over whether adequate safeguards are in place to protect sensitive data.

The agency operates an adoption information disclosure system that stores records on adoptees’ birth backgrounds and adoption processes, allowing adoptees, birth parents and adoptive parents to access relevant information.

On April 30, it also launched a new online tracking system enabling prospective adoptive parents to monitor their application status from the point of document submission, but after logging into the system, applicants discovered they could see other people’s information.

Anja Kold, a lawyer and representative of the Danish Korean Rights Group (DKRG), called on the NCRC to ensure full transparency and accountability in response to the breach.

In a statement, Kold voiced deep concern over repeated data leaks, saying the agency falls far short of international standards for data protection.

“In Denmark and the EU, data protection is considered a fundamental right, and repeated breaches trigger significant sanctions, extensive regulatory oversight and immediate corrective action,” she said.

She stressed that international adoptees have the right to have their personal data handled with the highest level of respect, security and professionalism.

“NCRC has repeatedly spoken about trust, yet it has instead deepened mistrust among those whose lives and identities depend on these records,” Kold said. “We expect the NCRC to take responsibility and align its data protection practices with both law and international standards.”