[Gangnam Perspective] A credit card company’s distinctive response to a hacking incident

Last year, South Korea experienced an unprecedented series of personal data leaks. Well-known companies such as SK Telecom, KT Corporation (KT), Lotte Card, and Coupang were on the list. Because these incidents spanned everyday sectors like telecommunications, finance, and retail, the public shock and fear were even greater. The phrase “record-breaking” fits perfectly. It exposed the bare face of a country once praised as an “IT powerhouse.” Companies have cited hacking, rogue employees, and various other reasons, but in the end the conclusion is simple: they failed to protect information properly.
Security experts say that digital intrusions are evolving by the day. Because hackers’ techniques advance so quickly, it can be difficult to identify the cause, and in many cases it is hard even to detect that a breach has occurred.
More recently, concerns have been growing over cyberattacks that exploit artificial intelligence (AI). According to the report “Cybersecurity Outlook 2026” released by the Google Threat Intelligence Group (GTIG), attackers will go beyond simple text-based phishing. The report warns that they will use multimodal generative AI, including voice and video deepfakes, to impersonate executives, employees, or partners and mount highly persuasive, situation-specific attacks.
In reality, hacking attempts are surging. Data submitted by the Financial Security Institute to the National Assembly of the Republic of Korea show that the number of responses to hacking attempts jumped from 1.83 million in 2022 to 67.82 million in 2024, nearly a 37-fold increase in just two years. In other words, the likelihood of being exposed to hacking has grown dramatically.
Given that hacking incidents can occur anytime and anywhere, it may seem natural that controversy continues after a breach. However, we must not fall into the trap of unnecessary and wasteful disputes that distract from what truly matters: consumer protection measures and preventing secondary damage.
A clue to how to handle this better can be found in how one credit card company in the financial sector managed a hacking incident last year.
The day after Company A reported the hacking incident, the Financial Supervisory Service (FSS) and the Financial Security Institute, as supervisory bodies, immediately launched an on-site investigation in the form of an ad hoc inspection. This was the key difference from other hacking cases that occurred last year. By taking on the role of control tower and starting the investigation at once, the financial authorities avoided unnecessary disputes over who should investigate, whether the probe was inadequate, or whether there was any attempt to cover up the incident. Observers say the findings were announced more quickly and accurately than in most other cases.
As a result, the card company was able to focus on cooperating with the investigation and on resolving the incident. It worked to block potential secondary damage from the hacking, opened a 24-hour customer service channel, reissued cards, and strengthened abnormal transaction detection, putting maximum effort into consumer protection. In the end, the fallout from the hacking was contained, and no secondary damage occurred. This clearly shows that while preventing hacking is important, the post-incident response system ultimately determines the scale of the damage.
Of course, not every industry can have the same management and oversight structure. What matters is that, whatever the form, a government-level control tower must be activated immediately when an incident occurs, and companies must be able to concentrate on remediation.
At the same time, companies that cooperate with investigations and handle recovery and follow-up measures well should be given incentives in the form of reduced fines or lighter sanctions. This would encourage firms to actively assist in investigations and to devote all their capabilities to the most critical tasks: preventing secondary damage and protecting consumers. Calls to toughen penalties in order to reduce incidents are understandable, but such measures can also create incentives to conceal or downplay incidents simply to avoid punishment. We have already seen multiple cases where controversies arose from companies’ efforts to evade penalties during the aftermath of an incident.
Looking ahead, one can only hope that when similar hacking incidents occur, we will not see a repeat of the same confusion and needless controversy. When I asked ChatGPT, it added one more point: “Above all, the most important task is to establish a protection system that focuses on prevention.”
blue73@fnnews.com Reporter