SK Telecom has confirmed that it passed the government's information protection certification review just six months before the recent incident of leaked subscriber information, raising criticisms regarding the effectiveness of the current certification system.
According to information submitted by Representative Lee Hun-ki of the Democratic Party of Korea on the 6th from the Ministry of Science and ICT, SK Telecom currently holds a total of three certifications, including two for the Information Security Management System (ISMS) and one for the Information Security and Personal Information Protection Management System (ISMS-P). These certifications are awarded to corporations that pass between 80 and 101 criteria for information security and personal information protection, and following the initial review, annual follow-up reviews and renewals every three years are required.
SK Telecom passed the initial ISMS-P review and the follow-up ISMS review between late September and early October last year and completed the ISMS renewal review in July of the same year, extending its validity period until 2027. However, just over six months after completing these certification reviews, a massive hacking incident involving subscriber information occurred, raising concerns about whether the actual security capabilities were properly assessed.
Representative Lee noted, "The SK Telecom case shows that the certification system is being operated in a formal manner without verifying practical security capabilities," and pointed out that "more stringent standards and follow-up management are needed for key national infrastructures such as telecommunications and finance."
In fact, the number of reported incidents involving corporations with ISMS certification has surged. The number of reports, which was zero in 2020, increased to six in 2021, 13 in 2022, and 101 in 2023, with 37 reports noted by the end of April this year.