National Data Center Fire Was a Disaster Waiting to Happen, Audit Reveals

 

SEOUL — A devastating fire on September 26 at South Korea’s National Information Resources Service (NIRS), which caused a sweeping blackout of essential government digital services, appears to be the inevitable outcome of systemic failures that were formally identified and warned against by the Audit Board of Korea (BOK).

An audit, concluded following a similar nationwide network failure in November 2023, confirmed that NIRS was riddled with critical flaws in equipment management, system redundancy, and disaster response protocols—issues the agency failed to adequately address before the latest catastrophe.

The BOK officially communicated its findings to government agencies just weeks ago, on September 17, detailing a "complex" web of institutional complacency and technical shortcomings that paved the way for large-scale disruptions.

Aging Infrastructure and Delayed Replacement 

The audit revealed a perilous strategy regarding equipment maintenance. An analysis of NIRS’s computer systems between 2019 and 2023 found that the failure rate of IT equipment increased sharply from the fourth to the seventh year of operation. However, a newly enacted policy of applying a uniform 6- to 9-year service life to all equipment—a period that can be extended as equipment is repeatedly repaired—effectively delayed crucial replacement cycles.

This unreasonable practice led to what auditors called a "vicious cycle," where some systems were kept in service past their functional lifespan. The report noted that some components recorded an average failure rate exceeding a staggering 100% despite not having reached the extended official service life, underscoring the severe deterioration of the data center's core infrastructure.

Critical Lack of Redundancy and Response Lapses 

Beyond equipment age, the audit uncovered a dangerous lack of system redundancy (multiplexing) in high-priority government services. Of the 60 Grade 1 information systems—those essential for national operations—many lacked adequate disaster recovery measures. Nine vital systems, including the national subsidy management and post office call centers, lacked fundamental server multiplexing, and 56 others, such as the Government24 portal and the National Law Information Portal, had no server-based disaster recovery systems installed.

Equally alarming were the lapses in incident response during the 2023 outage. The audit described a catastrophic breakdown in communication that squandered the "golden time" for recovery. Crucial equipment failure alerts were initially missed because the comprehensive situation room had closed the notification window. The subsequent belated discovery of the problem was mishandled, with key staff off-duty and misinformed, leading to a crippling seven-hour delay in the full escalation of the issue. The disaster response team was only formally convened nearly three hours after the initial failure.

Budgeting Flaws and Warning Issued 

The BOK also pointed to a persistent budgeting issue. NIRS was found to prioritize the replacement of equipment specific to individual government ministries over common equipment—such as network devices shared across the entire center. By combining the budgets, the essential, shared infrastructure was treated as "ownerless equipment" and continually pushed to the bottom of the replacement queue. Furthermore, the report suggested that the low project budget allocated for public sector systems hampered the ability to attract superior companies and skilled personnel for system construction and maintenance.

While the BOK’s audit did not cover the lithium-ion batteries that sparked the September 26 fire, its comprehensive findings confirm that the NIRS was operating under a constant, high-risk environment. The Audit Board has formally demanded that NIRS establish its own internal standards for equipment service life and create a clear priority list for common equipment replacement, issuing a grave warning: "Without fundamental improvement, there is a risk of recurrence of large-scale failure."

The revelations intensify the political and public demand for accountability, as it is now clear the government was formally aware of the systemic weaknesses months before the latest disaster crippled its digital operations.