Netmarble, which had customer, affiliate, and employee personal information leaked due to a PC game site hack, was found to have failed to notify authorities for nearly three days after recognizing the breach.
According to materials submitted by the office of Democratic Party of Korea lawmaker Lee Jeong-heon to the Korea Internet & Security Agency (KISA) on the 27th, Netmarble first reported the hacking damage at 8:40 p.m. on the 25th. In a statement on the 26th, Netmarble said, "We immediately reported the occurrence of the incident to the relevant authorities and are investigating the cause and scope of the leak."
However, according to the report Netmarble submitted to KISA, the first time Netmarble recognized the breach was 8:56 p.m. on the 22nd. The actual report was made after about 72 hours. Under the current Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, providers of information and communications services must report to the Minister of the Ministry of Science and ICT or KISA within 24 hours of becoming aware of a breach.
Netmarble explained, "The statutory reporting standard for a hacking incident is 'within 24 hours of recognizing indications of a breach,' and reporting the fact of a personal information leak is within 72 hours," adding, "Since we detected abnormal signs on Saturday, even if we proceeded with reporting within 24 hours, actual receipt could only occur on Sunday."
It added, "After prioritizing user protection measures, we focused on completing the leak reporting procedures within 72 hours in accordance with statutory standards," and "There was no deliberate delay or downplaying at all, and 'immediate response' was not merely about speed but a response centered on substantive protective measures to minimize user harm."
Netmarble recorded the incident as "the presence of parameters that allow SQL (database command) queries in an asset exposed externally." SQL is a language used to manage databases (DB) that contain vast amounts of information, and commands that search and process data in a DB are called queries. It is interpreted as meaning a security loophole was found that allows access to the DB through the website to exfiltrate internal information.
Earlier, Netmarble said on its website the previous day, "We confirmed indications of a customer information leak due to an external hack on the 22nd of this month and are responding."
According to Netmarble, the games where the leak occurred are 18 titles serviced through the Netmarble PC site, including Baduk, Janggi, Magu Magu, Sichuan, and Vegetable Village. Mobile games and games run via the Netmarble launcher are not affected.
The leaked information includes PC game site customer names, dates of birth, and encrypted passwords; affiliate PC cafe owners' names and email addresses; and current and former employees' names and company emails and phone numbers. Netmarble said sensitive information such as resident registration numbers was not included.
Democratic Party of Korea lawmaker Lee Jeong-heon said, "As telecommunications and commerce corporations were hacked and now even a major domestic game company, the inadequacy of the overall security system in our society has been exposed again," adding, "In particular, given the nature of online games, highly sensitive information directly connected to financial payments can be exposed, making this a very serious matter."
He continued, "It is time to fundamentally overhaul a nationwide cybersecurity system beyond specific industries and corporations," and said, "Now both the government and corporations must shift to preemptive and structural security reinforcement rather than 'after-the-fact response.'"