Concern grows over data protection at Korean conglomerates in wake of SKT breach

Home > Business > Industry

Concern grows over data protection at Korean conglomerates in wake of SKT breach

Published: 14 May. 2025, 07:00 Updated: 14 May. 2025, 17:49

Audio report: written by reporters, read by AI

Image of a hacker [GETTY IMAGES BANK]

As cybersecurity threats mount following a major data breach involving SK Telecom's SIM technology, concerns are growing over weak information protection systems across Korea’s largest conglomerates.

One KT subsidiary — a designated subject of Korea Internet & Security Agency (KISA) disclosures and part of the firm that leaked 12 million customer records in 2014 — is currently assigning both its Chief Information Security Officer (CISO) and Chief Financial Officer (CFO) roles to a single executive.

This dual role raises concerns over a fundamental conflict of interest: the CISO focuses on minimizing security risks, while the CFO is tasked with cutting costs and maximizing profit. A company official admitted the dual appointment was temporary and under review.

In light of a series of recent incidents — including leaked employee information at Hyundai Motor and a compromised certificate file at CJ OliveNetworks — the JoongAng Ilbo reviewed the information protection disclosures of Korea’s top 10 business groups (excluding NongHyup) and surveyed 12 major affiliates.

Looking back, there have been countless security breaches at major conglomerates, both large and small. The issue has now grown beyond individual companies to affect the entire industry. As a result, while large companies have steadily increased their cybersecurity budgets and staffing, structural vulnerabilities remain throughout their systems.

Security spending rises, but still lags among overall IT investment

The 87 affiliates of the top 10 groups subject to mandatory disclosure by the KISA reported a total cybersecurity investment of 984.9 billion won ($695.45 million) in 2024 — up 18.2 percent from 833.1 billion won in 2023.

Samsung Electronics led with 297.4 billion won, followed by Samsung SDS’s 63.2 billion won, LG Uplus’s 63.2 billion won, SK hynix’s 62.7 billion won and SK Telecom’s 60 billion won. Outside the top 10 groups, KT and Coupang also made substantial investments with 121.8 billion and 66 billion won, respectively.

Yet the proportion of cybersecurity spending relative to overall IT investment remained unchanged at 5.8 percent for both years. Although the absolute amount appears to have increased, it is difficult to say that investment in cybersecurity has meaningfully expanded. In contrast, a 2023 report by global insurer Hiscox showed that U.S. companies allocated an average of 26 percent of their IT budgets to cybersecurity — 4.5 times Korea’s level. Germany’s 24 percent, Britain's 23 percent and France’s 22 percent also outpaced Korea.

Minister of Land, Infrastructure and Transport Park Sang-woo inspects the self bag drop facilities and security screening area at Terminal 1 of Incheon International Airport on May 1. [YONHAP]

One in three security staff outsourced — experts call for in-house talent development

One in three information security personnel was also confirmed to be outsourced. Precisely, they were 36 percent, or 1,269.3 people, among the 3,521.9 personnel across the 87 affiliates.

SK Group had the highest outsourcing ratio at 72.6 percent, followed by HD Hyundai at 54.3 percent, Hyundai Motor at 49.5 percent and LG at 42.3 percent. Samsung had the lowest among the 10 conglomerates at 13.6 percent. In SK’s case, the high rate is attributed to its security subsidiary, SK Shieldus.

While outsourcing isn’t inherently insecure, experts say that in crises, having in-house experts ensures faster and more accountable responses. The 2017 Verizon breach, which exposed data from 14 million customers, was traced back to a contracted server manager’s error.

“Outsourced workers may lack the same sense of responsibility and affiliation,” said Yeom Heung-yeol, a cybersecurity professor at Soonchunhyang University. “It's essential to train internal staff who can respond swiftly and responsibly in case of a security incident.”

SK Telecom users line up at a booth in Gimpo International Airport in western Seoul on May 9 to get new SIM cards. [NEWS1]

One in four CISOs at major firms not at executive level

The authority and responsibilities of CISOs — who serve as the command center for corporate cybersecurity — were also found to be lacking.

Among the 87 companies analyzed, 24.1 percent of CISOs – roughly one in four – were not at the executive level. While current regulations only require executive-level CISOs for companies with assets over 5 trillion won, the government’s K-ESG guidelines recommend appointing registered or unregistered executives to the role to ensure swift budget allocation and decision-making.

Twelve firms under Samsung and 10 under LG designated all their CISOs as executives, while SK did so for all 15 but one affiliate. In contrast, 60 percent under Shinsegae, 57.1 percent under HD Hyundai, 55.6 percent under Lotte and 40 percent under GS had nonexecutive CISOs. For example, Shinsegae Food appointed a team leader, while HD Hyundai Mipo, Hyundai Construction Equipment and Hyundai Energy Solutions each had department heads as their CISO.

Moreover, 63 companies, or 72.4 percent, had CISOs with dual roles — typically overlapping with the Chief Privacy Officer (CPO). Experts say granting more authority to CISOs is crucial for bolstering corporate cybersecurity.

“A CISO must at least be an executive to allocate sufficient resources and make quick, informed decisions,” Prof. Yeom added.

A security alert warning of phishing and smishing attacks related to SIM protection services and other social issues is displayed at the Korea Internet & Security Agency (KISA) situation room in Songpa District, southern Seoul, on April 30. [YONHAP]

Top 10 conglomerates to increase cybersecurity budgets and staffing next year

The damage from corporate hacking extends beyond leaked customer data. It can also expose strategic information, business networks and key personnel.

On May 6, Hyundai Motor confirmed unauthorized access to internal servers containing information on group and partner employees. While no confidential customer or product data was leaked, experts criticized a serious breach in human resource security.

“Loss of digital assets can become national security issues,” said Kim Hyoung-joong, a digital finance professor at Hoseo University. “Critical data should be hashed or not stored in original form at all.”

In response, major firms have begun strengthening their security protocols. All 12 subsidiaries under the 10 largest conglomerates surveyed by the JoongAng Ilbo said they plan to increase cybersecurity budgets and staff in 2026. Some companies have gone beyond simply replacing USIMs and have begun taking steps to enhance their overall cybersecurity response capabilities.

LG Uplus now requires hourly security reports. Posco is preparing penetration tests, while Lotte Shopping is tightening login protection and anomaly detection.

[YUN YOUNG]

Calls for overhaul of certification systems and harsher penalties

Yet analysts argue that deeper reforms are needed. SK Telecom passed all existing information security management system (ISMS) and personal information and information security management system (ISMS-P) cybersecurity certifications but still fell victim to a data breach.

“The current ISMS certifications are overly document-based and apply uniform criteria,” said Song Jong-seok, a visiting professor of cybersecurity at Yeungnam University College. “Like in the United States, simulated hacking and other hands-on response evaluations should be strengthened, and cybersecurity drills should be institutionalized as routine exercises involving the entire organization — not just technical departments in a perfunctory manner.”

Experts are also urging stronger penalties and better consumer protections.

“U.S. firms comply with security laws because damage compensation is strict,” said Park So-young, legislative investigator at the National Assembly Research Service. “Korea should expand penalties under the Personal Information Protection Act and strengthen real compensation for affected users.”

“Simply increasing headcount or budgets isn’t enough,” said Park Chun-sik, a cybersecurity professor at Seoul Women’s University. “Executives must treat security as an investment, not a cost."

Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY KIM KI-HWAN, CHOI SUN-EUL, NA SANG-HYEON, NOH YU-RIM [[email protected]]