No Clarity on What Data Was Leaked
The hacking incident at SK Shieldus, a leading domestic security company, is spreading anxiety throughout the industry. It has been a week since the company officially acknowledged the hack, yet not only has it failed to present any concrete countermeasures, but it has also not clarified which data has been leaked. Moreover, given the circumstances of the hack known so far, some experts warn that the scope of the damage could expand further.
According to the industry on the 24th, confusion is mounting as SK Shieldus has not disclosed exactly what data was leaked by the hacker group “Black Shurantak.” This hacker group recently claimed to possess 24GB of internal SK Shieldus data and posted 42 pieces of evidence on the dark web. So far, it appears that the leaked data consists of business proposals and reference documents, rather than sensitive client system information or personal data.
The issue is that if, as the hackers claim, 24GB of data was stolen, it is unclear what the remainder contains. SK Shieldus maintains that it cannot disclose details as an investigation is underway in cooperation with regulatory authorities. A representative from SK Shieldus stated, “We are continuing to thoroughly investigate the problematic emails and verify whether there are any issues we have not yet discovered,” adding, “It is difficult to comment before the results of the investigation by the Korea Internet & Security Agency (KISA) are released.”
The unique nature of a security company has also played a role in this situation. SK Shieldus explained that because much of the information related to clients is confidential, they cannot even confirm whether the materials published on the dark web actually pertain to client information. This has led to a situation where companies mentioned in the leaked materials-such as SK Telecom, KB Financial Group, and the Financial Security Institute-have rushed to clarify that their internal data was not leaked.
As a result, companies that have had direct or indirect dealings with SK Shieldus are left anxious, fearing that their own data may have been compromised. For over 20 years, SK Shieldus has provided a full range of information security services to domestic companies, from consulting and solution implementation to control and operations. An industry insider commented, “Client companies that have not received accurate guidance regarding this data breach are likely concerned about potential secondary damages.”
SK Shieldus maintains that it is making every effort to notify potentially affected parties, regardless of whether they are current clients. A representative from SK Shieldus said, “We are continuing to individually explain the details we have identified so far to our corporate clients.”
Another issue is that, given the circumstances of this hack-where a vulnerability in an employee’s email account was exploited-there is no guarantee that such incidents will not recur. Although the company has touted its workforce of over 1,800 information security professionals, the largest in the country, it failed to adhere to even the most basic protocols regarding email account security. An industry expert pointed out, “The most critical issue is that a security company has experienced such a breach, yet there are no countermeasures explaining what went wrong, how it will be improved, or how the situation will be managed.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
