Calls grow for cybersecurity control tower

Lotte Card CEO Cho Jwa-jin walks to the stage to apologize for a massive customer data breach at the credit card firm during a press conference in Seoul, Sept. 18. Korea Times photo by Shim Hyun-chul

Calls are growing for the government to set up a cybersecurity control tower in the wake of a string of major cyberattacks and data breaches that have compromised Korea’s major mobile carriers and financial firms.

Critics say the current response system is fragmented across multiple agencies, slowing reactions to cybersecurity incidents. Experts urge the creation of a single coordinating body to strengthen governance.

Cyberattacks against Korean companies have surged in recent months. Last week, Lotte Card said the information of 2.97 million customers — one-third of its total base — was compromised by cyber criminals. At the same time, mobile carrier KT is suffering a series of unauthorized mobile payment incidents, while rival SK Telecom suffered a breach affecting 25 million users in April. Financial firms Seoul Guarantee Insurance (SGI) and Welcome Financial Group were also hit by ransomware attacks.

According to data from the Korea Internet & Security Agency (KISA), the total number of data breach cases reported by companies from January to August this year stood at 1,501. The figure is already close to the 1,887 cases reported for the whole of 2024.

Despite the increasing threats, experts argue that Korea still lacks a government-level cybersecurity control tower to lead a coordinated national response. While the primary responsibility for security lies with companies, the experts said more fundamental measures require government-level efforts.

Second Vice Minister of Science and ICT Ryu Je-myung, center, speaks during a joint briefing on cybersecurity at Government Complex Seoul, Friday. At left is Financial Services Commission Vice Chairman Kwon Dae-young. Yonhap

Currently, Korea’s oversight and response authority for corporate cybersecurity is split between the Ministry of Science and ICT, Personal Information Protection Commission (PIPC) and KISA. Public incidents are handled by the National Cybersecurity Center, while financial matters are handled separately by the Financial Security Institute (FSI).

The ICT ministry, PIPC and KISA are each responsible for different areas. The ministry oversees responses to telecom network cyber incidents and sets policies to prevent recurrences. PIPC supervises personal data leaks and related breaches, and KISA handles initial reporting and on-site responses. Since each agency has different requirements regarding reports for an incident, confusion is inevitable.

KT first reported a mobile payment-related breach to KISA on Sept. 8. KISA and the Ministry of Science and ICT opened an investigation but did not conduct a forensic analysis of KT’s servers, despite suspicions that users’ personal information stored there may have been compromised.

The ministry decided to launch a forensic investigation only after KT admitted its servers showed signs of a breach, because the PIPC is responsible for personal information-related matters. Despite being a breach involving mobile payments, the financial authority did not take part in the investigation.

On the other hand, the ICT ministry was not involved in the handling of cybersecurity incidents at Lotte Card, SGI and Welcome Financial Group, as those fell under the jurisdiction of the FSI. During a joint government briefing held on Friday, each agency only addressed matters within its own jurisdiction.

KT CEO Kim Young-shub, center, bows in apology for unauthorized mobile payment cases at the mobile carrier during a press conference at KT headquarters in Seoul, Sept. 11. Joint Press Corps

Experts said specialized agencies are necessary for their expertise in addressing unique cases, but also called for a coordinating body to oversee them.

“Cyberattacks will only increase in the future, and it will be difficult to respond effectively with a penalty-centered approach,” said Lee Sung-kwon, CEO of ENKI WhiteHat, an offensive security service firm.

“Each specialized agency should carry out its role, but there also needs to be a body to provide direction and coordination. For example, if Chinese hackers are suspected for a case, the National Cybersecurity Center should be involved, the police need to investigate and related organizations such as the FSI should also be engaged.”

Another security industry official also brought up the importance of cybersecurity governance, so that not only private companies but also the government and policymakers would be responsible for preventing data breaches and cyberattacks.

“Recent debates have largely focused on imposing heavier penalties on companies hit by cyber incidents, but these are also firms that passed government-approved security inspections,” the official said.

“For example, Lotte Card received a security certification called ISMS-P from the FSI in July. Supervising government agencies are not free from responsibility, and they should set up proper cybersecurity governance.”

Lee also said that the government “should lead the efforts to set up cybersecurity governance and guide companies to make proper security investments within the governance.”

Amid rising calls for action, the presidential office of national security said Monday that the government and private experts are jointly working on comprehensive cybersecurity measures and will announce them by the end of this month.