South Korea Data Breaches: Concerns Over Digital Security

South Korea's Cybersecurity Challenges

South Korea has gained global recognition for its incredibly fast internet speeds, widespread broadband access, and pioneering role in digital technologies. It is home to prominent technology companies such as Hyundai, LG, and Samsung.

However, this technological advancement has simultaneously positioned the nation as a significant target for malicious cyber activity, revealing vulnerabilities within its cybersecurity infrastructure.

Recent Cyberattacks and Government Response

A series of impactful cyberattacks have recently affected various sectors in South Korea, including credit card providers, telecommunication companies, technology startups, and governmental bodies.

These breaches have impacted a substantial portion of the South Korean populace. Following each incident, ministries and regulatory bodies have often responded in a disjointed manner, sometimes deferring responsibility to each other.

Fragmented Cybersecurity System

According to reports in local media, a key impediment to effective cyber defense in South Korea is a fragmented system involving numerous government ministries and agencies.

This structure frequently leads to delayed and uncoordinated responses to cyber threats. A lack of a designated “first responder” agency further complicates the nation’s ability to effectively address attacks.

Reactive Approach to Cybersecurity

“The government’s cybersecurity strategy largely remains reactive, addressing issues as crises emerge rather than prioritizing it as essential national infrastructure,” stated Brian Pak, CEO of Seoul-based cybersecurity firm Theori, in an interview with TechCrunch.

Pak, who also advises SK Telecom’s parent company’s cybersecurity innovation committee, explained to TechCrunch that the siloed nature of government cybersecurity agencies hinders the development of robust digital defenses and the training of qualified personnel.

Shortage of Cybersecurity Professionals

South Korea is currently experiencing a significant deficit in skilled cybersecurity experts.

“[This is] primarily due to a current approach that has impeded workforce development. This shortage of talent perpetuates a negative cycle, making it difficult to establish and maintain the proactive defenses necessary to anticipate and counter emerging threats,” Pak added.

Political Factors and Long-Term Resilience

Political gridlock has encouraged a pattern of implementing immediate, superficial solutions after each crisis, according to Pak.

Meanwhile, the more complex and sustained effort of building comprehensive digital resilience is consistently postponed.

Increasing Frequency of Incidents

Throughout the current year, South Korea has faced a major cybersecurity incident on an almost monthly basis, intensifying concerns regarding the robustness of its digital infrastructure.

January 2025

GS Retail, a prominent South Korean company managing convenience stores and grocery markets, has acknowledged a security incident. A data breach occurred following an attack on their website between December 27th and January 4th.

Data Breach Details

The breach compromised the personal information of approximately 90,000 customers. Sensitive data was exposed as a result of the cyberattack.

Specifically, the stolen data encompassed a range of personally identifiable information. This included customer names, birth dates, contact details, addresses, and email addresses.

GS Retail has initiated investigations to determine the full scope of the incident. They are also implementing measures to enhance their security protocols and prevent future occurrences.

Customers are advised to remain vigilant and monitor their accounts for any suspicious activity. Further updates will be provided as the investigation progresses.

February 2025

A security breach impacted Wemix, the blockchain-focused subsidiary of the South Korean gaming firm Wemade, resulting in a loss of $6.2 million on February 28th.

However, information regarding this incident was not disclosed to investors until March 4th, a delay of several days.

Details of the Incident

The hack affected Wemix’s systems, leading to the unauthorized transfer of funds. The precise nature of the vulnerability exploited remains under investigation.

Wemade has confirmed the financial impact, quantifying the loss at $6.2 million. This represents a significant, though not catastrophic, setback for the platform.

Delayed Disclosure

The delay in notifying investors has raised questions regarding Wemade’s transparency and incident response protocols.

Typically, companies are expected to promptly disclose material events, such as significant security breaches, to maintain investor confidence.

Potential Implications

• Market Reaction: The delayed announcement could potentially influence investor sentiment towards Wemix and Wemade.
• Regulatory Scrutiny: Depending on the jurisdiction, the company may face scrutiny from regulatory bodies regarding the disclosure timeline.
• Security Enhancements: Wemade is likely to implement enhanced security measures to prevent similar incidents in the future.

Wemade is currently working to address the security vulnerabilities and has initiated a thorough review of its security infrastructure.

Further updates regarding the investigation and preventative measures are expected to be released as they become available.

Cybersecurity Incidents in South Korea: April & May 2025

A significant data breach impacted South Korea’s job market in late April. The part-time employment platform, Albamon, experienced a hacking attack on April 30th.

Albamon Data Breach

This security incident resulted in the exposure of sensitive information belonging to over 20,000 users. Compromised data included names, phone numbers, and email addresses contained within user resumes.

SK Telecom Cyberattack

April also witnessed a large-scale cyberattack targeting SK Telecom, a leading telecommunications provider in South Korea. The attack led to the theft of personal data from approximately 23 million customers.

This figure represents nearly half of the entire South Korean population. The repercussions of this breach extended into May.

Customer Response and Remediation

Following the SK Telecom incident, millions of affected customers were offered replacement SIM cards. This measure was implemented as a direct response to mitigate potential fraud and unauthorized access.

The provision of new SIMs continued throughout May, demonstrating the scale and complexity of the recovery efforts. The incident highlights the growing threat landscape facing both businesses and individuals in South Korea.

June 2025

A significant ransomware incident impacted Yes24, a leading online ticketing and retail platform based in South Korea, on June 9th.

This attack resulted in a service outage that persisted for approximately four days.

Full operational capacity was restored by mid-June, according to company reports.

Details of the Incident

The disruption caused by the ransomware affected Yes24’s ability to process ticket sales and retail orders.

Customers experienced difficulties accessing the platform during the peak of the outage.

Yes24 worked diligently to contain the attack and recover its systems, ultimately succeeding in restoring services within a relatively short timeframe.

Impact and Recovery

The incident highlights the growing threat of ransomware attacks targeting online businesses.

The four-day disruption underscores the potential for significant operational and financial consequences.

Yes24’s swift recovery demonstrates the importance of robust cybersecurity measures and incident response planning.

The company has not publicly disclosed the specific type of ransomware involved or the extent of any data compromise.

However, they confirmed that services were fully functional again by the middle of June.

July 2025

During July, a cyberattack originating from the North Korea-associated Kimsuky group was detected targeting organizations within South Korea.

Notably, this attack incorporated the use of AI-generated deepfake images, marking a new tactic in their operations. A defense-related institution was among the entities compromised.

Kimsuky's AI-Powered Spear-Phishing

The Genians Security Center reported that the Kimsuky hacking group, known for its ties to North Korea, employed AI-created deepfakes in a spear-phishing campaign.

This attempt specifically targeted a South Korean military organization. The group’s activities, however, weren’t limited to this single target, with other South Korean institutions also being pursued.

Ransomware Attack on Seoul Guarantee Insurance

Around July 14th, Seoul Guarantee Insurance (SGI), a prominent Korean financial institution, experienced a significant ransomware attack.

This incident caused substantial disruption to SGI’s core systems. Critical services, including guarantee issuance and verification, were taken offline as a result.

Consequently, customers faced uncertainty and delays due to the compromised functionality. The attack left many in a state of limbo awaiting resolution.

August 2025

In August 2025, Yes24 experienced its second ransomware attack, resulting in a temporary disruption of its website and associated services for several hours.

Data Breach at Lotte Card

Between July 22nd and August, malicious actors successfully infiltrated Lotte Card, a prominent South Korean financial institution specializing in credit and debit cards.

This data breach compromised approximately 200GB of data and potentially impacted around 3 million customers.

Notably, the intrusion went undetected for roughly 17 days before being discovered by the company on August 31st.

Welcome Financial Targeted

Welrix F&I, the lending division of Welcome Financial Group, became the victim of a ransomware attack during August 2025.

A hacking group with ties to Russia asserted responsibility, claiming to have exfiltrated over a terabyte of internal files.

This stolen data included sensitive customer information, with samples subsequently leaked on the dark web.

Espionage Campaign by Kimsuky

Hackers linked to North Korea, and widely attributed to the Kimsuky group, engaged in sustained espionage activities targeting foreign embassies in South Korea.

These attacks were cleverly disguised as standard diplomatic correspondence, allowing them to remain undetected for an extended period.

According to security firm Trellix, this campaign has been ongoing since March, and has affected at least 19 embassies and foreign ministries within South Korea.

The group’s activities involved ongoing surveillance and data collection from targeted diplomatic entities.

September 2025

• A significant cyber security incident has been reported by KT, a leading telecommunications provider in South Korea. The breach resulted in the exposure of data belonging to over 5,500 subscribers.

The attack leveraged illicit “fake base stations” to gain access to KT’s network. This allowed hackers to intercept mobile communications and extract sensitive data.

Compromised information included IMSI, IMEI, and phone numbers. Unauthorized micro-payments were also reportedly made as a consequence of the security lapse.

Following a recent increase in cyber attacks, South Korea’s National Security Office is taking action to strengthen its cyber defenses.

A coordinated, government-wide response is being initiated, involving collaboration between multiple agencies.

New Cyber Security Measures

In September 2025, the National Security Office declared the implementation of “comprehensive” cyber security measures. These measures will be enacted through an interagency plan overseen by the South Korean president’s office.

Regulatory bodies have also indicated an impending legal modification. This change will grant the government the authority to initiate investigations immediately upon detecting hacking activity.

This power will be exercised even in instances where affected companies have not yet submitted a formal report.

Both of these actions are intended to rectify the longstanding absence of a dedicated first responder within South Korea’s cyber security infrastructure.

Concerns Regarding Centralization

However, some experts express concerns that South Korea’s current fragmented system lacks clear accountability.

Concentrating all authority within a presidential “control tower” could potentially lead to “politicization” and excessive governmental intervention, according to Pak.

A more effective approach might involve a balanced strategy.

This would include a central body responsible for establishing strategy and coordinating responses to crises, coupled with independent oversight to prevent abuse of power.

In such a hybrid model, specialized agencies like KISA would continue to manage the technical aspects of cyber security.

This would occur under a framework of more streamlined regulations and enhanced accountability, as Pak explained to TechCrunch.

Government Response

A spokesperson for South Korea’s Ministry of Science and ICT stated the ministry, alongside KISA and other relevant organizations, is “committed to addressing increasingly sophisticated and advanced cyber threats.”

The spokesperson further added, “We continue to work diligently to minimize potential harm to Korean businesses and the general public.”

Originally published on September 30.