[Gangnam Perspective] Strong Punishment Is Not Always the Answer

'The day after Company A reported the hacking incident, the Financial Supervisory Service (FSS) and the Financial Security Institute, the supervisory authorities, launched a direct investigation in the form of an ad hoc inspection. That is what most clearly sets it apart from other hacking cases. By taking the lead and starting the investigation immediately, the financial authorities avoided unnecessary controversy, including suspicions of a cover-up. The findings were also seen as being announced faster and more accurately than in other cases.'
That was an excerpt from a column I wrote in January. Company A in that piece was Lotte Card.
Recently, the financial authorities signaled a heavy penalty against Lotte Card for a personal data leak caused by external hacking, including a fine and a 4.5-month suspension of business. The tougher punishment appears to reflect aggravating circumstances, as the company had previously been suspended for an information leak. Earlier, the Personal Information Protection Commission (PIPC) finalized fines of 9.6 billion won and an administrative fine of 4.8 million won last month.
The financial sector has described the sanction as unusually severe. That is because no financial company has ever been ordered to suspend business over an information leak by an internal employee. Cheongho Easy Cash, which suffered fraudulent withdrawals after a hacking attack, was only given an institutional warning. Under the current Credit Information Use and Protection Act and the Electronic Financial Transactions Act, external hacking is also sanctioned at a lower level than information leaks caused by internal executives or employees.
If a business suspension is imposed, card issuers cannot recruit new members, and credit limit increases and card loans may also be restricted. The damage to the company would be significant. In fact, when Lotte Card was suspended for three months in 2014, about 800,000 members reportedly left. Even before any suspension, the company has already endured pain similar to a business halt for the past eight months since the data leak in September last year, including customer attrition. If an actual suspension is added, there are concerns that its creditworthiness and funding ability will come under pressure on all fronts. Card issuers do not take deposits like savings accounts, so they typically raise funds by issuing specialized credit finance company bonds. With market interest rates already high, additional sanctions could push them into a cash crunch.
Duo, a marriage brokerage firm rather than a financial company, also saw the hacking of an employee’s computer expose sensitive personal information of about 430,000 members. The punishment was limited to a 1.2 billion won fine from the PIPC and an administrative fine of 13 million won. That comes to about 2,800 won per person. The leaked data included not only names and contact information, but also highly sensitive details such as height, weight, religion, marital history, and education.
Some also argue that harsh punishment for external hacking, rather than intentional data leaks, can be inefficient. It may reduce incentives for voluntary reporting, encourage companies to respond passively, and threaten the security ecosystem. According to the 2025 Information Security Survey by the Korea Information Security Industry Association (KISIA), three out of four companies that experienced a data breach were hit by external intrusion. The reporting rate for breach incidents barely exceeded 30 percent, and more than 40 percent of respondents said they took no particular action after the incident.
Recently, hacking risks have been spreading further after Anthropic’s new artificial intelligence (AI) model, Claude Mythos, drew attention. It can steal an entire company’s secrets in just 13 minutes, earning it the label of a "nuclear weapon in cyberspace." In reality, completely blocking external hacking is not feasible.
Trust is the lifeline of financial companies. Punishment and sanctions for hacking incidents are therefore only natural. However, until now, financial firms’ information security budgets have not been mandatory disclosures, but voluntary ones. That means their budgets and staffing for information security have existed in a supervisory blind spot. As large-scale hacking incidents have repeated, information security disclosure is now set to be introduced. The financial authorities should also look back and ask whether they have been lax in overseeing hacking incidents. In line with the recently discussed Pre-emptive Digital Risk Supervision Measures, it would likely be more effective to focus on whether high-risk firms are inflating their information security budgets, investing enough to attract skilled security personnel, and closing gaps in their security management. That would do more to prevent repeat incidents.
blue73@fnnews.com Reporter