Sisa Week = Reporter Jo Yoon-chan LG U+ was put in a confusing situation due to a series of DDoS attacks following the personal information leak accident. While LG U+’s cybercrime response system is on the chopping block, the government plans to conduct a special investigation into LG U+.
◇ Victim of a series of DDoS attacks
Recently, a series of DDoS (Distributed Denial of Service) attacks have been made against LG Uplus. According to the Ministry of Science and ICT and LG U+, a large amount of traffic, probably DDoS, occurred on the 29th of last month and on the 4th of last month, causing inconvenience to LG U+ users that they were unable to access the Internet.
In response, LG Uplus announced on the 5th that it had formed a crisis response situation room with the CEO and key executives participating. When a DDoS attack occurs, LG U+ recovers through traffic avoidance measures. An official from LG U+ said, “We plan to conduct preventive measures and countermeasures against DDoS attacks through a company-wide crisis management TF-focused response system.”
As the damage continued one after another, the Ministry of Science and ICT and the Korea Internet and Security Agency announced that they would reorganize the LG Uplus ‘Public-Public Joint Investigation Team’ into a ‘Special Investigation Inspection Team’. The joint public-private investigation team was activated from the 10th of last month to investigate customer information leaked by LG U+.
The Ministry of Science and ICT plans to form a special investigation and inspection team with domestic security experts to examine LG U+’s overall information protection response system, such as cyber crime prevention and response, and security policies.
The Ministry of Science and ICT said, “We will strongly warn LG U+ management about the lack of a basic breach response system due to a series of Internet access failures due to DDoS attacks.” In addition, in order to reorganize the response system of the information and communication service provider to cases of breach of rules, improvements to the system, including revision of laws, will be pursued.
An official from the Ministry of Science and ICT explained that they are considering amending the ‘Information and Communication Network Act’. An officer from the Ministry of Science and ICT <시사위크>In a phone call with “Currently, we are responding after receiving a report in accordance with the Network Act relating to crime. However, it is not enough for us to respond simply by receiving a report.” In terms of improving the legal system, “The law is being implemented with ISMS certification or infrastructure protection facilities under the ‘Information and Communication Infrastructure Protection Act’ scattered. We intend to review in the long term a plan to integrate these contents into one.”
◇ LG Uplus, the least investment in information security and manpower among the three telecom companies
LG U+ suffered a personal information leak in early January, before the series of DDoS attacks. In addition, the extent of damage announced in the first notice has since changed and received criticism.
On the 10th of last month, LG U+ announced on its homepage that the personal information of 180,000 customers had been leaked. However, on the 3rd, it published a review and announced that the number of customers with a leak of personal information was 290,000, which is 110,000 more than before. Along with this, the Korean Internet and Security Agency informed LG U+ about the leak of personal information on the 2nd of last month, but it was reported that the customer was informed about it 8 days later.
There have been cases where LG U+ has been on the chopping block due to personal information management issues before. In December 2020, the Personal Information Protection Committee (hereinafter referred to as the Personal Information Protection Committee) revealed that two LG U+ agencies shared customer information access accounts with unauthorized stores between September 2016 and June 2019. As a result , LG Uplus was fined 11.6 million won and fined 10 million won for neglect of management and supervision.
According to the Personal Information Protection Commission, LG U+ used real personal information files, not virtual files, in the process of carrying out a mock test of personal information security measures in the agency system, and shared the files in an unencrypted network folder. Because of this, it is explained that other agencies that did not take part in the test can access personal information. In response, in November last year, the Personal Information Commission imposed a fine of 12 million won on LG U+.
There was a view in the industry that it was important to strengthen the information security workforce. An industry insider explained, “Each telecommunications company will have a response system based on the resources it has and how much money it can invest.”
According to the ‘2022 Information Security Disclosure Status Analysis Report’ of the Ministry of Science and ICT, the number of personnel dedicated to information security was △KT 336 △SKT 196 △LG U+ 91 people. Looking at the amount of investment in information security, LG U+ has the smallest amount of KRW 29.2 billion among the three telecommunications companies, but it ranks fourth in the information and communication industry. KT (1st) has won 102.1 billion and SKT (2nd) has won 62.7 billion. Compared to SKT, LG Uplus invested less than half of information protection and less than one-third of KT.
An officer from the Ministry of Science and ICT <시사위크>In a telephone call with , to the question of whether the inspection team of the special investigation suggests a penalty for the Personal Information Commission, he said, “It can be seen as a separate case. The special inspection team cooperates with the personal information committee to analyze the causes of issues related to cyber attacks. There is also the issue of breach of privacy, but we are focusing on cyber attacks. When approaching the information protection system, we are cooperating with the Personal Information Commission on the necessary parts,” he added.