It was confirmed that after KT recognized the hacking incident on the 5th of this month and blocked small-sum payments, it kept its internal security response level at the lowest level, "Level 5 (normal)," for three days. Level 5 is issued only when there is no breach and the status is "normal," prompting criticism that the company responded complacently despite a serious hacking incident. KT's internal incident response manual sets out a five-tier security response system—Level 1 (critical), Level 2 (warning), Level 3 (caution), Level 4 (attention), and Level 5 (normal)—but there was no step-by-step elevation of security levels according to the manual.
According to the office of Choi Su-jin of the People Power Party on the 30th, KT raised its internal incident response manual to the highest security level, Level 1 (critical), at 8:25 p.m. on the 8th of this month—three days after it recognized the hacking incident and blocked small-sum payments on the 5th. KT was notified by police on the 1st of this month of the small-sum payment hacking, and on 5th it detected traffic with abnormal patterns and took active countermeasures such as blocking small-sum payments and new access base stations. However, KT maintained the Level 5 security response system until the 8th of this month.
KT detected warning signs but did not raise its security level step by step according to its internal manual. A security industry official said, "Before elevating to Level 1, the company should have at least raised it to Levels 2–3, but keeping it at the 'normal' level is incomprehensible."
The timing of the Level 1 elevation (8th, 8:25 p.m.) was also more than an hour later than when the incident was reported to the Korea Internet & Security Agency (KISA) (8th, 7:16 p.m.). The internal manual requires elevating to Level 1 first and reporting to KISA within 24 hours. The prescribed order in the internal manual was not followed. Although, under KT's internal manual, a Level 1 elevation of the security response system was necessary, postponing the elevation until after reporting the incident is being criticized as problematic. A telecom industry official said, "If the company had elevated to Level 1 first under the internal manual, failing to report immediately could have been an issue," adding, "We cannot rule out the possibility that the company deliberately did not elevate the level until the time of the incident report."
Criticism has also continued over the timing when KT said it recognized the breach (3 p.m. on the 8th). In the report submitted to KISA on 8th, KT wrote that the time it recognized the incident was "3 p.m., Sept. 8." This delayed the timeline by about three days compared with the 5th, when it recognized the hacking and blocked small-sum payments. KT also reported, "There were no warning signs before recognizing the damage (8th)."
KT's slow response shown in this hacking incident does not end there. KT recognized the breach of its own server at about 2 p.m. on 15th, but reported the server breach to KISA at 11:57 p.m. on 18th, three days later.