The company’s delayed response to hacking allegations exposes broader issues in how Korean firms interpret and apply disclosure requirements under cybersecurity law.
After facing mounting criticism from lawmakers and regulators, LG Uplus CEO Hong Beom-shik has pledged to report suspected hacking activity to the Korea Internet & Security Agency (KISA).
During a parliamentary audit on October 21 by the National Assembly’s Science, Technology, Information, Broadcasting, and Communications Committee, Hong said the company had initially believed that reporting was only required after confirming an actual breach. However, facing rising confusion and criticism, he said the telecom provider would “actively consider” submitting an official report to the national cybersecurity agency.
This represents a clear reversal from LG Uplus’ earlier stance, when it denied any evidence of hacking despite growing concerns over leaked internal data.
Legal Obligations Under the Cyber Law
Under South Korea’s Information and Communications Network Act, any information and communications service provider must report to KISA within 24 hours of detecting possible signs of intrusion.
LG Uplus’ initial refusal to report the incident—on grounds that no customer data had been compromised—prompted criticism from lawmakers and cybersecurity observers, who accused the company of failing to meet both the legal requirement and the spirit of proactive cybersecurity governance.
The company’s argument that “no customer information was leaked” was seen as insufficient under the law, which also covers internal systems and operational data.
Hacking Allegations and Data Exposure
The controversy intensified after an August report by the U.S.-based cybersecurity magazine Phrack, which claimed that two anonymous white-hat hackers had discovered around 8 GB of leaked data connected to LG Uplus.
According to the report, the exposed data allegedly included:
- Details from 8,938 servers,
- Information on 42,526 user accounts, and
- Records of 167 employees.
KISA reportedly detected suspicious access patterns as early as July and advised LG Uplus to submit a breach report. However, the company declined, citing a lack of confirmed intrusion. The Ministry of Science and ICT later launched an on-site inspection that remains ongoing.
Security Gaps and Weak Authentication
During the National Assembly hearing, Rep. Lee Hae-min of the Rebuilding Korea Party revealed that LG Uplus’ internal systems suffered from eight major vulnerabilities in its Account Privilege and Access Management (APPM) system.
These flaws included:
- A loophole allowing bypass of two-factor authentication using a simple numeric code;
- A backdoor providing access to administrator pages without additional verification;
- Plain-text passwords and unencrypted keys stored directly in the source code.
Rep. Lee criticized the findings, saying, “Leaving passwords unencrypted in source code is like writing a safe’s combination on a sticky note and putting it on the door.” He added that even a single one of these vulnerabilities could allow remote hijacking of administrator privileges, threatening the company’s internal network security.
Allegations of Evidence Tampering
Adding to the controversy, lawmakers accused LG Uplus of erasing potential digital evidence. The company allegedly updated its server operating system the day after the Ministry of Science and ICT requested copies of its internal investigation results.
Rep. Lee claimed that LG Uplus had reinstalled the server image before submitting it to authorities—raising doubts over whether original traces of the intrusion were preserved for forensic review. The lawmaker demanded a thorough investigation, questioning whether the updated server image accurately reflected the system’s state before the alleged tampering.
Company’s Defense and Next Steps
In response, CEO Hong emphasized that no confirmed intrusion had been found so far. However, he pledged to cooperate with the ongoing investigations and to “actively respond according to the procedures” set by both the National Assembly and the Ministry of Science and ICT.
An LG Uplus official later clarified that Hong’s remarks were intended to ease public concerns and ensure transparency, adding that the company would align with regulatory protocols as the investigations progress.
Still, cybersecurity experts argue that the incident underscores a systemic problem: companies prioritizing image management over rapid disclosure. Delayed reporting not only risks regulatory breaches but also undermines public confidence in digital infrastructure.
Broader Implications for Corporate Cyber Accountability
The LG Uplus case exposes deeper issues in South Korea’s corporate cybersecurity culture. Despite the country’s advanced digital economy, experts point to recurring weaknesses in incident disclosure, employee cyber hygiene, and risk communication.
The controversy also arrives amid increasing cyber threats from North Korean hacking groups, such as Kimsuky, which Phrack suggested may have been linked to the incident.
For South Korea’s telecommunications industry—considered critical national infrastructure—this episode serves as a wake-up call. Companies are now expected to move beyond reactive crisis management and adopt: Real-time threat monitoring and external audits, Encrypted authentication protocols for internal systems, and Transparent reporting frameworks aligned with regulatory timelines.
