Government investigations into the hacking incidents at KT and LG Uplus found clear negligence in KT's case and a data leak at LG Uplus caused by inappropriate security measures. The Ministry of Science and ICT said the penalty waiver clause under KT's terms and conditions can be applied to all subscribers. It also said it asked police to investigate LG Uplus on suspicion of obstructing the execution of official duties after the company made an investigation impossible by disposing of servers and reinstalling operating systems (OS).
◇ KT hacking exposes poor femtocell management… penalty fee waived for all subscribers
The public-private joint investigation team at the Ministry of Science and ICT on the 29th released its findings on the hacking incidents at KT and LG Uplus. According to the ministry, illegal femtocells (small base stations) led to the leakage of 22,227 KT subscribers' IMSI (International Mobile Subscriber Identity), IMEI (International Mobile Equipment Identity), and phone numbers, and 368 customers suffered unauthorized small-payment charges, causing total losses of 243 million won.
The ministry also confirmed that malware had infected all KT servers, and 103 types of malicious code, including BPFDoor and rootkits, were found on 94 servers. It said that due to KT's poor femtocell management, illegal femtocells were able to connect to KT's internal network, creating a situation where communication traffic could be captured. With end-to-end encryption disabled, payment authentication information and personal information could also have been leaked. KT was faulted for basic information protection failures, including insufficient femtocell security checks, a lack of security equipment, and short-term log retention.
The Ministry of Science and ICT determined that the risk of plaintext text and voice call interception caused by KT's poor femtocell management did not apply only to some users who suffered small-payment losses, but exposed all KT users to risk. Based on this, and after legal review of whether this falls under "other reasons attributable to the company" in KT's terms and conditions, the ministry concluded that KT violated its contractual obligation to provide safe telecommunications services. Given KT's confirmed negligence and its failure to provide safe telecommunications services to all users, it concluded that KT is responsible for waiving penalty fees resulting from this incident.
◇ LG Uplus to be investigated by police for obstructing official duties, including server disposal
The Ministry of Science and ICT said that information linked to LG Uplus's integrated server access control solution (APPM) that an anonymous whistleblower claimed had been leaked—such as server lists, server account information, and employee names—was confirmed to have actually been leaked from LG Uplus. APPM refers to an integrated password management solution that periodically changes and manages system account passwords in batches and automatically generates and issues passwords to users.
However, the ministry also noted that a detailed forensic analysis of the APPM servers submitted by LG Uplus found discrepancies with the materials disclosed by the anonymous whistleblower. It also confirmed that another APPM server, believed to be the source of the leak, underwent operating system upgrades and other work on Aug. 12, making it impossible to verify traces of the incident.
In addition, the anonymous whistleblower claimed that the attacker hacked a partner company that provides the APPM solution to LGU+ and then infiltrated LG Uplus. The ministry said it tried to verify this claim, but confirmed that key servers along the network path from the partner employee's laptop to LG Uplus's APPM server had all been reinstalled with the OS or disposed of, making an investigation impossible. It added that the reinstallation or disposal occurred between Aug. 12 and Sept. 15.
The Ministry of Science and ICT said that, considering the OS reinstallation or disposal of related servers at LG Uplus took place after July 19, when the Korea Internet & Security Agency (KISA) provided guidance on circumstances indicating an incident, it deemed the actions inappropriate and asked the Korean National Police Agency to investigate for obstruction of the execution of official duties by deceit.
Bae Kyung-hoon, Deputy Prime Minister and Minister of Science and ICT, said, "The KT and LG Uplus incidents, following the SK Telecom incident, are grave cases that exposed security loopholes in the nation's core public telecommunications networks," adding, "Corporations must recognize that building a safe service environment that people can trust is essential to survival and make information protection a core management value."