Korea's telecom trio exposed in widening cybersecurity lapses

By Kim Dong-young Posted : October 22, 2025, 15:43 Updated : October 22, 2025, 15:54
Graphics by AJP Song Ji-yoon
SEOUL, October 22 (AJP) - South Korea's pride as an ICT powerhouse has taken another blow after LG Uplus joined SK Telecom and KT Corp. in suffering major security compromises this year, deepening public concern and demanding sober reckoning over corporate attention to cybersecurity.

Security spending accounted for only about 6.3 percent of total IT investments by 773 Korean companies, according to the Korea Internet & Security Agency (KISA)'s information security disclosure. The global average stands around 11 percent.

Among the nation's wireless trio, SK Telecom, which recently suffered a SIM card hacking incident, allocated just 4.2 percent of its IT budget to information security, the lowest among the three. KT spent 6.3 percent and LG Uplus devoted 7.4 percent on cybersecurity in 2024.

"We need to break away from past practices. Security officers at companies like LG Uplus tend to have little authority. They're not in core business divisions, so they remain peripheral, but security must be treated as more important and given proper authority," said Kim Ki-hyung, a professor at Ajou University's Department of Cyber Space.

Regulations also aren't sufficient, experts add. The Personal Information Protection Act (PIPC) covers details comprehensively but its penalties are slap on the wrist compared to international rules. Europe's General Data Protection Regulation imposes fines for severe data breaches reaching 20 million euros or 4 percent of a company's global annual turnover, whichever proves higher. SK Telecom's fine of 134.8 billion won – the largest under the PIPC – following a major breach this year amounts to just 1.05 percent of the company's annual revenue of 12.8 trillion won last year.

"Global standards for data breaches remain far higher than Korea's. Our situation is quite ambiguous," said Kim.
 
Graphics by AJP Song Ji-yoon
Timeline for data breaches of South Korean telecommunicators/ Graphics by AJP Song Ji-yoon
LG Uplus became the latest flashpoint when it reversed course Tuesday and agreed to formally report a suspected cyberattack to authorities after initially denying any breach. The company detected suspicious activities as early as July but refused to file mandatory incident reports, arguing that no confirmed data compromise had occurred.

"While a data breach has not been confirmed, there are suspicions and circumstances that warrant a proactive response," a company spokesperson said, adding that the on-site investigation launched by the ministry remains ongoing with no confirmed evidence of hacking yet established.

Lee Sang-joong, president of the KISA, called the string of hacking incidents as "an unprecedented cybersecurity crisis" and emphasized that "securing digital trust is a national responsibility" during a parliamentary audit at the National Assembly on Tuesday.

Lee added that the KISA now plan legal reforms empowering authorities to launch investigations at the first sign of hacking, with significantly heavier penalties for companies that delay or fail to report cyber intrusions.

"The data leakages should be viewed as a growth process for South Korea. We have a neighboring country (North Korea) with world-class hacking capabilities, and these incidents should heighten corporate vigilance and drive improvement," said Kim.
Kim Dong-young

Copyright ⓒ Aju Press All rights reserved.

Related