Choi Sujin Criticizes "Delayed Reporting... Questions Raised Over Data Preservation Request and On-Site Inspection"
SK Telecom (SKT) reported a hacking attack after the legal deadline had passed, and suspicions have arisen as the Korea Internet & Security Agency (KISA), which received the report, was found to have altered the incident occurrence time. Additionally, it has been revealed that KISA only requested data preservation and conducted an on-site investigation a day after SKT’s report, leading to criticism of a delayed response.
According to a Yonhap News report on the 27th, SKT reported the hacking incident to KISA at 4:46 p.m. on the 20th, with the incident recognition time recorded as 3:30 p.m. on the same day, about an hour earlier. This information is based on KISA’s “SKT Hacking Incident Timeline” submitted to Choi Sujin, a member of the National Assembly’s Science, ICT, Broadcasting, and Communications Committee from the People Power Party.
SKT first discovered unintended movement of data within its internal system at 6:09 p.m. on the 18th. Later that same day, at 11:20 p.m., SKT found malicious code and shared internally through its reporting system that it had been subjected to a hacking attack. Although SKT first recognized the hacking at 11:20 p.m. on the 18th, KISA recorded the incident recognition time as 3:30 p.m. on the 20th, 40 hours later.
In the materials submitted to Choi’s office, KISA stated, “During the interview process regarding the hacking report, SKT changed the incident recognition time after providing an explanation.” However, SKT denied this, saying it had properly reported the incident recognition time as the night of the 18th and had not changed it afterward.
In an explanation sent to Yonhap News, KISA stated, “During the process of receiving SKT’s hacking report, the company’s security officer decided to report the incident, and the incident reception staff then corrected the time to reflect this as the incident recognition time,” adding, “There was a kind of miscommunication.”
Choi Sujin stated, “It is clear that SKT recognized the hacking and reported it to upper management on the night of the 18th, so it is difficult to understand why the incident recognition time was changed to when the responsible officer decided to report it. I am concerned that KISA may have attempted to cover up SKT’s violation of the rule requiring incidents to be reported within 24 hours of discovery.”
Choi also criticized KISA for responding too slowly given the seriousness of the SKT subscriber USIM information theft incident. KISA officially requested SKT to preserve data and submit documents for incident verification at 2:06 p.m. on the 21st, more than 21 hours after receiving the report.
KISA dispatched experts to the site to assess the situation and discuss response measures at 8:00 p.m. on the 21st, six hours after the document request and 28 hours after the initial report was received.
Choi Sujin pointed out, “KISA’s principle is to respond immediately upon the occurrence of a security incident. With 23 million subscribers’ USIM information serving as ‘digital IDs’ now exposed and causing public anxiety, the authorities’ response cannot be considered prompt or appropriate.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
