"I'd Rather Lose 500 Million"... Reporting a Hack to the Government Can Destroy a Company Instantly [How About This Book]

In March of this year, a small semiconductor parts company in a provincial area was hit by a ransomware attack. The CEO, who was sitting in his 84-square-meter office, recalled the incident as "the worst moment of my life." The hacker demanded 4 bitcoins, which was approximately 500 million won at the time-equivalent to the annual salaries of the company’s 10 employees. Although he hesitated, he felt he had no choice. With the company’s largest investment project since its founding, prepared over three years, just ahead, rumors of a hacking incident had to be prevented at all costs. In the end, instead of reporting to the authorities, he paid the hacker in bitcoin and received the decryption key. He said, "I couldn’t risk the fate of the company I’ve devoted my life to over 500 million won. Even now, I have nightmares about the hacking incident being exposed to the outside world."

Getty Images Bank

If a company fails to report a hacking incident to the relevant authorities, it can be fined up to 30 million won. Yet, why do companies take the risk and conceal the damage? This book is a thorough investigation by three reporters from The Asia Business Daily into the reality where victims 'hide their victimhood.'

The main reason companies go to great lengths to hide hacking incidents is the stigma-akin to a "scarlet letter." The moment the hacking becomes public, the company suffers significant damage. Security experts point out, "The disadvantages of reporting far outweigh any potential benefits." This is especially true for service industries that interact directly with consumers, where the scale of damage is even greater. Once a report is filed, not only does the incident get media exposure, but listed companies also risk a drop in their stock price.

The bigger problem is that even if companies endure these burdens, fundamental solutions are hard to come by. Even when a report is made, the Korea Internet & Security Agency (KISA) merely reiterates the guideline, "Never pay the hacker," but provides little practical help in data recovery or negotiation processes. On the ground, companies consistently report that they must comply with extensive data submission requests, and in the case of large corporations, the incident is reported directly to the Ministry of Science and ICT, the National Intelligence Service’s National Cyber Security Center, and the Presidential Office, resulting in the company’s name being dishonorably listed in the National Intelligence White Paper.

A former government official from a related department also describes companies’ reluctance to report as "an inevitable outcome." "Korean companies get hacked as often as they eat meals. But nine out of ten don’t report it. Why? Because the moment you report, rumors spread that 'our company was hacked,' and the company’s credibility plummets. Even if you report it to the government, it’s of no help. They just ask for more documents, more reports-just more paperwork. If it were me, I wouldn’t report it either. Never."

Instead of turning to the government, victimized companies seek out negotiators who handle negotiations with hackers. Negotiator A, who met with the authors, recounted a case from two years ago involving a biotech company and a hacker. At the time, the hacker demanded 15 bitcoins (about 560 million won), but A managed to negotiate it down to about 9 bitcoins (340 million won). He explained, "Hackers usually ask for 1.5 to 2 times the amount they expect to get, anticipating negotiations. Negotiation is usually possible, but since hackers have detailed knowledge of the company, it’s hard to negotiate a significant reduction." A took a 30% commission on the amount he saved the company.

However, negotiators themselves cannot be unconditionally trusted. There have been cases where negotiators embezzled part of the payment during negotiations or colluded with hackers to siphon off company funds. In fact, in 2020, a logistics IT company in Seoul discovered that their negotiation team had secretly kept the difference after reducing the original demand from 6 bitcoins to 5.5 bitcoins without informing the victim company. For victimized companies, it is a grim situation where no one can be fully trusted.

The authors meticulously document this reality, delving deeply into the reasons why companies feel compelled to conceal hacking incidents. The government’s own statistics reveal this lack of trust. According to the "2024 Information Security Status Survey" released by the government, the reporting rate among small and medium-sized enterprises is only 4.1%, and for larger companies, it is just 6.5%. In contrast, the reporting rate for micro-enterprises was 100%, as both companies in the sample reported their incidents-but this is a statistical illusion caused by the extremely small sample size.

So, what measures are needed to reduce hacking damage? The authors argue that rather than strengthening penalties for failing to report, policies should provide tangible benefits for investing in security. Tax credits are a prime example. "What if, like fire insurance, cyber insurance were made mandatory and the premiums became eligible for tax credits?"

Hacking is a crime where victims are often blamed. The criticism is, "Why didn’t you prepare?" This book is significant in that it presents a new perspective that challenges conventional wisdom, based on testimonies collected by reporters on the ground. It also proposes practical solutions drawn from various domestic and international cases, raising meaningful social issues. Now, it is time for society to respond to their call.

Korea Has Been Hacked | Sim Nayoung, Jeon Youngju, Park Yujin | Sideway | 284 pages | 18,000 won

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.