After SK Telecom and KT, hacking incidents have also hit Lotte Card in succession across the telecommunications and finance sectors, prompting louder calls to overhaul the national information security system. As the era of artificial intelligence (AI) ushers in increasingly sophisticated and advanced cyberattacks, some argue the government should establish an integrated security control tower capable of swiftly responding to incidents and craft policies that encourage private corporations to invest in security to prevent attacks and minimize related damage.
On the 22nd, security experts agreed that extraordinary measures are needed as cyberattacks targeting corporations have surged this year. Lotte Card said last week that a hacking incident leaked the personal information of 2.97 million customers. That is one-third of its 9.6 million total members. The leaked data comes to nearly 200 gigabytes (GB), about 100 times the size in the first report. It is a major hacking incident following SK Telecom, which saw the personal information of 23 million customers leaked in April, KT, where base stations and servers were hacked, and YES24, SGI Seoul Guarantee, and Welcome Financial Group, which were hit by ransomware attacks. In the first half of the year, the number of reported cyber intrusion incidents received by the Korea Internet & Security Agency (KISA) reached 1,034, a 15% surge from the same period a year earlier (899).
◇ "A control tower to oversee security policy is urgent"… momentum for overhauling the security system
Experts say that for fundamental institutional reform, a government-wide integrated cybersecurity control tower must first be established. Currently, Korea is the only major country without a control tower overseeing security policy, and supervisory and response authority over hacking damage is split between the financial and nonfinancial sectors. The Financial Services Commission handles hacking incidents at financial companies, while the Korea Internet & Security Agency (KISA) under the Ministry of Science and ICT responds to security incidents in the private sector outside finance. The National Intelligence Service oversees the public sector, and the Ministry of National Defense manages defense-related areas. Because roles are split like this, criticism has persisted that responses are slow and information sharing is not smooth.
Yeom Heung-yeol, emeritus professor in the Department of Information Security at Soonchunhyang University, said, "When national-level security governance is this dispersed, initial response is difficult when a major hacking incident occurs," and added, "Centered on the cyber security secretary at the National Security Office, the government should actively work to advance the nationwide cyber response system."
Major advanced countries have control towers that oversee and direct cyber security policy and issues. Representative examples include the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.K. National Cyber Security Centre (NCSC), the Australian Cyber Security Centre (ACSC), Germany's Federal Office for Information Security (BSI), and France's National Cybersecurity Agency (ANSSI).
The structural problems of Korea's security system are also evident in how the government treats private corporations and government agencies after a hacking incident occurs. Kim Seung-joo, a professor at the Graduate School of Information Security at Korea University, noted, "While imposing astronomical penalty surcharges on corporations, when Lotte Card, which received the ISMS-P certification granted by the government, was hacked, the Ministry of Science and ICT or the Personal Information Protection Commission, which manage and supervise the certification, were free from responsibility." Experts argue that while punitive penalty surcharges on corporations responsible for security incidents are necessary, government agencies should also be held accountable for hacking incidents.
According to a report published last month in the U.S. security magazine Phrack, an attacker believed to be "Kimsuky," a hacker group under China or North Korea's Reconnaissance General Bureau, carried out attacks targeting public institutions, including "On-nara System," the Ministry of the Interior and Safety's internal work management system. However, the Personal Information Protection Commission only launched an investigation into suspected personal information leaks at KT and LG Uplus mentioned in the report. The National Assembly's Science, ICT, Broadcasting and Communications Committee will hold a hearing on the 24th to investigate suspicions surrounding large-scale hacking incidents at telecom and financial companies and plans to summon the CEOs of mobile carriers (SKT, KT, LG Uplus) and Lotte Card as witnesses, but suspicions of hacking at government agencies are notably absent from a full-scale investigation or the hearing's scope, drawing criticism of "double standards."
◇ "Punitive penalty surcharges are necessary, but security investment should be encouraged"
President Lee Jae-myung also instructed the preparation of fundamental measures at a senior secretaries' meeting he chaired at the presidential office in Yongsan, Seoul, on the 18th, when Lotte Card and KT announced additional intrusions, saying, "It is necessary to hold corporations accountable, but we must hurry to establish systematic, government-wide security measures to counter increasingly evolving hacking crimes."
The Ministry of Science and ICT and the Financial Services Commission held a joint briefing on the 19th on the "cyber intrusion incidents at telecom and financial companies," emphasizing they would do their best to stabilize the situation. Ryu Je-myeong, 2nd vice minister at the Ministry of Science and ICT, said, "We will improve the system so the government can thoroughly investigate even without corporate reports if circumstances are secured, and we will toughen measures such as fines if corporations intentionally delay or fail to report intrusions." He also said they would consider imposing punitive penalty surcharges on corporations that suffer repeated personal information leaks due to hacking.
Some warn that punitive penalty surcharges and fines may be limited in encouraging swift reporting and security investment by corporations. They argue the measures could backfire, with corporations concealing hacking damage out of concern for reputational harm and financial loss.
KISA said there were a total of 66 cases in the past year where corporations hit by cyberattacks filed delayed reports to KISA or did not report at all. Under the Information and Communications Network Act revised in August last year, corporations must report within 24 hours from when they first confirm hacking damage, but compliance has been poor. KT, which saw "unauthorized small-amount payments" occur, was also found to have reported to authorities only three days after recognizing the server intrusion. Some corporations reported only months, or even a year, after recognizing the incident.
Kim Jin-su, senior vice chair at the Korea Information Security Industry Association (KISIA), said, "Recent hacking incidents are led by state-backed actors and are sophisticated, intelligent attacks that are hard for a single corporation to block," and added, "Because joint public-private response is needed, rather than only imposing punitive penalties on hacked corporations, it is also necessary to provide incentives that encourage security investment." Professor Yeom said, "In addition to investment in information security, we could consider offering tax credit benefits to corporations that use related products or services."