Why Korea keeps getting hacked — from old servers to poor oversight

South Korea is battling a wave of cyberattacks that have exposed millions of people’s personal data and shaken confidence in the country’s digital defenses. Breaches at top mobile carriers SK Telecom and KT, along with cases at Lotte Card and ecommerce platform Yes24, have underscored persistent vulnerabilities in a country once hailed as a global IT leader.

The incidents have fueled calls for stronger regulations, tougher corporate accountability and a fundamental rethink of how critical infrastructure is secured. Yet questions remain: why do these breaches keep happening, and what concrete steps can organizations take to reduce their exposure?

To address these issues, The Korea Herald spoke with Kim Yongdae, ICT endowed chair professor and affiliated faculty at the Graduate School of Information Security at the Korea Advanced Institute of Science and Technology, about the roots of Korea's hacking woes and the reforms needed to protect consumers and businesses.

Q. Recent breaches at large corporations have shocked South Korea. Why do these firms suffer repeated attacks?

Each case may look different because attackers use different methods, but the roots are the same: poor asset visibility and weak account management. Old services are left running because they "still work." Firms hesitate to take revenue-generating services offline for OS updates or invest in costly replacements, so they add infrastructure without retiring old systems. This, along with the introduction of new services, is how digital assets keep multiplying, but patching and security teams don't keep pace. Over time, inventories grow with no clear asset list or upgrade plan, and vulnerabilities pile up.

At the same time, staff turnover or the ending of outsourced contracts means knowledge of what runs on which server disappears. That leaves plaintext passwords, dormant accounts and space for attackers to hide.

So while the Ministry of Science and ICT gave greater weight to weak incident response and inadequate encryption of sensitive data as key causes in its SKT report, I believe the primary cause is a lack of digital asset management, with weak account management close behind.

Q. Is Korea’s regulatory approach part of the problem?

Yes. Regulations are often designed to encourage companies to focus on buying specific tools or equipment just to pass certification, instead of addressing deeper architectural flaws. Firms start to treat compliance as a procurement exercise, and once they meet their obligations, they forget about vulnerabilities. This also leads to perverse outcomes, such as the mandatory use of certain tools, which has created a lowest-bidder market culture. Companies buy the cheapest solution that satisfies the rule, not the one that genuinely improves security.

Besides, Korea Internet & Security Agency's penetration testing tools are publicly available, which means hackers can download them, run the same scans and design their attacks to avoid detection. In reality, a company with thousands of servers may rely on a single KISA tool scan to "pass" inspection while the majority of its infrastructure is still exposed.

These policy approaches have encouraged firms to treat cybersecurity as a box-ticking exercise. KISA officials once offered to visit a prominent router maker in person to explain a discovered flaw; the company rejected the offer, kept the door closed when the officials arrived, and later declined to patch the vulnerability even after it was demonstrated.

Q. Banks and tax services appear to use many protections, asking users to install client software and digital certificates. So why do hacks still happen?

It is because many of those measures depend on fragile, client-side mechanisms. Bank certificates and plugins only protect users when the software is installed and running, yet most people log into a given bank or tax site only once or twice a year, so they miss updates and patches. Companies should move protections to the server and network layer and into the browser when possible, to detect anomalies centrally and keep a clear asset inventory and baseline traffic profiles so you can spot abnormal behavior.

Q. How can policy encourage companies to take security more seriously?

The US approach offers lessons. American law does not dictate which program to install. Instead, it creates incentives to join programs that strengthen security. The US Cybersecurity and Infrastructure Security Agency has a Cyber Hygiene Program, which regularly scans internet-exposed IP addresses across the US and notifies companies of vulnerabilities it finds. When firms are repeatedly told to fix vulnerabilities, they do.

The Vulnerability Disclosure Policy is another example. It creates a legal channel for researchers to report flaws and gives firms a way to prioritize patches. That means both sides benefit: researchers are protected and companies get an early warning.

Then there are procurement-level requirements. US government suppliers must prove their products are "secure by design" and "secure by default" in lengthy reports. Products with too many flaws risk recalls or compensation payouts through bug bounty programs. That financial risk pushes vendors to embed security from the start.

We should apply the same principle in Korea, at least for government suppliers. Their products should be verified as safe, and they should prepare scenarios for potential intrusions. Think about food safety, no food goes to market without safety checks. Why should cybersecurity be treated less important than food?

A bug-bounty program pays outside researchers to find and report security flaws; KISA runs a national program and many large firms, such as Samsung Electronics and Naver, operate their own bounty schemes.

Q. What changes should South Korea make at the government level?

We need a national control tower for cybersecurity, similar to the CISA. Right now, responsibilities are fragmented. When SK Telecom is hacked, the Ministry of Science and ICT takes charge, but we still do not know who carried out the attack or why. If it later turns out to be North Korea, should the National Intelligence Service belatedly step in? In the case of cryptocurrency breaches, is it for financial regulators or for private firms? With this siloed system, it is very difficult to raise security standards across the board.

Cybersecurity is so critical that the idea of a cyber "major accident law" is worth debating — one that holds CEOs criminally accountable for severe breaches that expose large amounts of data or cause significant damage, just as they would be held accountable for serious physical workplace accidents. But punishment alone will not solve the problem. The government needs to guide companies step by step on what to do. Otherwise, they will spend on expensive foreign hardware and claim progress without solving root problems. What we need is targeted investment, not arbitrary spending.

Q. How is AI going to affect the security landscape?

AI will eventually play a role, but our existing vulnerabilities are already severe. Right now, basic hygiene failures — unpatched servers, unmanaged accounts, superficial audits — create more than enough of an opening for attackers. Until we address these fundamental issues, AI is not the most urgent threat.

Kim's lab, sometimes nicknamed the "fire moth lab" for its pursuit of risky and unconventional ideas, has gained recognition abroad. His global reputation began in 2012, with a paper showing that pacemakers could be disrupted by malicious electromagnetic waves. He has since published a string of "provocative" studies reported widely overseas, including one showing how acoustic noise could bring down drones, and another revealing how lidar in autonomous vehicles could be blinded or tricked into seeing false obstacles.

Kim is an ICT endowed chair professor at KAIST and is also serving as a member of SKT's newly created Security Innovation Committee, formed after the company's recent hacking incident.