It was revealed that KT knew last year that a server containing personal information had been infected with the malware "BPFdoor" (BPFDoor) but concealed it within the Information Security Division without reporting it to the relevant authorities, including the Ministry of Science and ICT, or even to the CEO.
These circumstances were contained in materials on the time of recognizing the infection and internal decision-making that the office of Science, ICT, Broadcasting and Communications Committee Chair Choi Min-hee received from KT on the 21st.
According to materials Choi's office received from KT, Assistant Manager A of the Red Team in KT's Information Security Division reported to the Head of Team on Apr. 11 last year that "malware has been running on the corporations' mobile server since Mar. 19," and also shared it with Assistant Manager B of the Security Threat Response Team. This was the first time the BPFdoor infection was confirmed. The same day, Assistant Manager B reported to then Information Security Division head Moon Sang-ryong, chief information security officer (CISO), and to person in charge Hwang Tae-seon (now CISO), that "emergency vulnerability measures are being taken and applied individually by business department."
The Information Security Division then moved to internal responses, such as making an "urgent" request on Apr. 18 to the server manufacturer for manual antivirus scans and analysis, but it did not submit any official report to company management. KT said, "Director General Moon and others verbally shared during tea time with then division head (vice president) Oh Seung-pil that a variant of malware had been found," adding, "Vice President Oh recognized it only as routine security situation sharing and did not grasp the seriousness." Even while emergency measures were underway, reporting to top management amounted to casual words exchanged over tea.
As for why it did not file an incident report, KT argued, "We focused on initial analysis and blocking the spread of a type of malware we had not previously encountered, so we did not give sufficient consideration to the reporting obligation." However, inside the company, some note that despite "emergency responses," the omission of reporting to the CEO and legally required reporting suggests there may have been an intent to conceal.
Follow-up measures were also carried out solely on the security division's internal judgment. KT implemented a script-based malware check starting May 13, then expanded it to companywide servers from Jun. 11, and continued checks through Jul. 31. The operation was led by Hwang Tae-seon, the person in charge who later was promoted to CISO. This process, too, was only briefly shared with Vice President Oh during tea time, and KT repeatedly explained that "Vice President Oh recognized it as routine security checks." KT did not hold a single official meeting to discuss whether to file an incident report regarding the infection.
In the end, even though a total of 43 servers were infected, including those storing subscriber personal information such as name, phone number, email address, and device identification number (IMEI), KT handled the situation internally without reporting to top management or notifying the authorities. The fact of the BPFdoor infection was belatedly revealed this month through server forensics by a public-private joint investigation team.
Science, ICT, Broadcasting and Communications Committee Chair Choi Min-hee criticized, "KT's concealment of the BPFdoor infection is a representative case showing that the security management system of a key telecommunications operator has effectively collapsed," adding, "While saying it was a variant of malware not previously encountered, the explanation that they 'did not recognize the seriousness' is a deception of the public." Choi urged, "The Ministry of Science and ICT should hold KT strictly accountable by all possible means, including withdrawing penalty waiver, business suspension, and requesting an investigation, and KT must undertake a comprehensive overhaul."