Financial regulators to impose punitive fines over lax cybersecurity

Second Vice Minister of Science and ICT Ryu Je-myung, at the podium, speaks during a joint press briefing at Government Complex Seoul, Friday. Yonhap

A pan-government body vowed to roll out stricter regulations and oversight measures to bolster cybersecurity, prompted by two major cyberattacks targeting the country’s telecommunications and financial sectors.

It pledged to revise relevant laws to impose punitive fines to ensure companies take responsibilities corresponding to the impact any incidents bring.

According to the Ministry of Science and ICT and the Financial Services Commission (FSC), Friday, a public-private joint investigative body is looking into the incidents.

The rare joint move by the science ministry and the top financial regulator followed a spike in public concern over two high-profile attacks. One was a breach of KT’s mobile network infrastructure and the other was a massive customer data leak from Lotte Card. The two events exposed critical vulnerabilities in Korea’s digital infrastructure and highlighted a lack of penalties for potential national security breaches.

The briefing did not announce unified, detailed response plans. The government is expected to roll out a comprehensive cybersecurity strategy in the coming weeks.

“The government, led by the National Security Office, is conducting a joint investigation involving multiple government agencies,” Ryu Je-myung, second vice minister of science and ICT, said at a joint press briefing at Government Complex Seoul. Also leading the briefing was FSC Vice Chairman Kwon Dae-young.

“The National Intelligence Service and the Personal Information Protection Commission will join in outlining comprehensive response measures. We pledge coordinated, cross-agency actions to prevent further breaches.”

Ryu said companies will face heavy fines if they deliberately delay reporting or fail to report cyberattacks to the authorities. Even if companies do not report cyberattacks, relevant government agencies will be allowed to open investigations if they become aware of suspected attacks.

The science ministry said hackers used unauthorized measures to infiltrate KT’s internal network. The breach affected at least 362 users, causing an estimated 24 million won ($18,000) in damages through unauthorized mobile payments.

In addition, sensitive user data, including phone numbers, international mobile subscriber identity and international mobile equipment identity numbers of more than 20,000 mobile users, have been compromised, the ministry said.

“We will conduct a full investigation into how those illegal access occurred and how personal data was compromised,” Ryu said. “The findings will be disclosed transparently.”

The FSC said the extent of the breach at Lotte Card was greater than initially reported, without specifying details.

Lotte Card said earlier that personal information of some 2.97 million customers was leaked.

“We will enforce stronger measures,” Kwon said. “We are taking these incidents seriously and will swiftly impose strict measures we find appropriate,” he said.

Kwon highlighted the issue of the financial sector’s complacency regarding cybersecurity.

“Hacking methods are evolving rapidly, but the financial industry’s outdated response measures are falling behind,” he said. “Cybersecurity investments have often been neglected and treated as optional expenses at best. This must change.”

Among the measures under consideration are greater discretions and powers for chief information security officers, as well as mandatory reporting and disclosure for data breaches.

Kwon pledged a full, close review of all information technology systems and maintenance within financial institutions overseen by the FSC and the Financial Supervisory Service.