10 Biggest Data Breaches in South Korea [2025]

South Korea is increasingly targeted by cybercriminals, posing risks for businesses and individuals. The scale of cyber incidents in South Korea has escalated, rising by approximately 120% since 2017. In 2021 alone, authorities recorded over 7,000 online hacking cases nationwide, with malicious code infections accounting for the majority.

The financial consequences of these breaches are considerable, with the average cost of a data breach in South Korea reaching $4.88 million USD by 2024. High-profile incidents regularly expose large quantities of sensitive personal data, including social security numbers, email addresses, phone numbers, and financial information, impacting millions and sometimes equating to more than half of the country’s population.

Commonly targeted sectors include telecommunications, finance, healthcare, government agencies, and research institutions. With a notable lack of dedicated cybersecurity personnel (only 8.7% of surveyed companies acknowledge a need for dedicated cybersecurity staff) the nation remains highly susceptible to sophisticated cyber threats such as ransomware, phishing, and identity theft.

In this article, we’ll examine the largest and most impactful data breaches that have occurred in South Korea, identifying common vulnerabilities, attack patterns, and crucial lessons organizations must understand to improve their cybersecurity posture in an increasingly hostile digital landscape.

South Korea’s rapid digital transformation and unique organizational landscape create ideal conditions for cyberattacks. Understanding these country-specific vulnerabilities helps explain why South Korean institutions are frequently targeted.

South Korea ranks among the most digitally connected nations, with near-universal internet and smartphone use. Citizens regularly use digital services for banking, e-commerce, and healthcare. While this digital connectivity is very effective, it also significantly increases the attack surface, allowing cybercriminals opportunities to exploit vulnerabilities at scale.

The South Korean economy is heavily dominated by influential conglomerates known as chaebols, including Samsung, LG, SK, and Hyundai. These organizations, along with government agencies, store vast amounts of sensitive personal, financial, and intellectual property data. Centralized storage within these powerful entities makes them high-value targets for cyberattacks, as breaching a single organization can yield extensive amounts of critical information.

South Korea’s geopolitical context, especially its tense relationship with North Korea, intensifies cybersecurity threats. The region is frequently targeted by state-sponsored cyber espionage and hacking groups aiming to compromise government agencies, military installations, and critical infrastructure. This persistent geopolitical friction creates additional cybersecurity vulnerabilities unique to South Korea.

South Korean organizations often prioritize rapid innovation and economic growth, sometimes at the expense of robust cybersecurity measures. Additionally, hierarchical structures in corporate culture can delay incident detection, reporting, and response. These organizational practices frequently slow down the adoption of proactive cybersecurity measures, leaving institutions more susceptible to cyber threats.

In the following, you find a list of the largest data breaches in South Korea. The data breaches are sorted by the number of impacted customer accounts in descending order.

In July 2011, SK Communications, the company behind South Korea’s leading social network Cyworld and popular web portal Nate, experienced one of the country’s largest data breaches. Approximately 35 million accounts (nearly three-quarters of South Korea’s online users at that time) were compromised. Hackers, believed to originate from China, infiltrated internal company systems through malware embedded in a seemingly legitimate software update that was inadvertently downloaded by an employee. After gaining access, the attackers successfully extracted sensitive user information, including names, phone numbers, email addresses, and encrypted personal data. This incident drew intense scrutiny to cybersecurity practices across South Korea’s digital economy.

Prevention methods:

• Deploy advanced endpoint protection to effectively identify and mitigate malware threats.

• Provide regular cybersecurity training to staff, specifically addressing malware detection and phishing awareness.

• Establish stringent internal monitoring protocols to quickly detect unauthorized system access or suspicious activities.

In April 2025, SK Telecom, South Korea’s largest telecommunications provider, disclosed a major cybersecurity breach affecting roughly 27 million customer accounts. Attackers managed to sustain undetected access within SK Telecom’s servers for nearly three years, systematically extracting sensitive and valuable personal information. Stolen data included IMSI numbers, USIM authentication keys critical for secure SIM operations, usage data, text messages, and SIM card contact lists, significantly increasing customers’ vulnerability to SIM-swapping attacks, targeted phishing, and identity theft. In response, SK Telecom proactively issued replacement SIM cards to affected customers and implemented rigorous security enhancements designed to prevent similar intrusions. This breach was particularly concerning due to its scale, the long-term undetected access, and the sensitive nature of the compromised information, prompting intensified scrutiny of cybersecurity practices in South Korea’s telecommunications industry.

Prevention methods:

• Establish continuous network monitoring to rapidly identify and respond to unauthorized activities and intrusions.

• Implement advanced intrusion detection and endpoint protection systems specifically tailored to defend against long-term persistent threats.

• Strengthen internal security protocols by periodically rotating critical authentication keys and conducting regular security audits to detect prolonged unauthorized access.

In January 2014, Korea Credit Bureau (KCB), a leading personal credit ratings agency, suffered a substantial insider-driven data breach. A consultant employed by KCB illegally accessed and extracted sensitive personal and financial information from the servers of three major South Korean credit card companies KB Kookmin Card, Lotte Card, and NH Nonghyup Card. The breach affected nearly 20 million individuals, representing approximately 40% of the country’s entire population at the time. The compromised data included highly sensitive details such as names, phone numbers, social security numbers, credit card numbers, and expiration dates. The stolen information was subsequently sold to phone marketing companies, sparking a nationwide outcry, regulatory scrutiny, multiple arrests, and high-level resignations at the involved institutions. This incident significantly undermined consumer trust and highlited the urgent need for stringent internal controls in the financial services sector.

Prevention methods:

• Implement strict internal data access controls to limit sensitive data exposure even to authorized personnel.

• Conduct regular internal audits and monitoring of employee activities to swiftly detect unauthorized access and suspicious behavior.

• Provide thorough cybersecurity training to employees, emphasizing ethics, compliance, and internal data-handling standards.

In November 2011, Nexon, the company behind South Korea’s widely popular online game MapleStory, experienced a significant cybersecurity incident. Hackers gained unauthorized access to a backup database containing sensitive personal information of approximately 13 million local users. The stolen data encompassed user IDs, full names, resident registration numbers and encrypted user passwords. In response, Nexon swiftly disclosed the breach to the public, advised affected users to immediately change their passwords, and initiated a thorough internal investigation in collaboration with local police authorities. Due to the widespread popularity of MapleStory, this breach attracted substantial public attention and raised significant concerns over data security practices within the online gaming industry in South Korea.

Prevention methods:

• Regularly audit and secure backup databases, ensuring strict access controls and encryption.

• Implement robust intrusion detection systems to quickly identify unauthorized access attempts.

• Conduct routine cybersecurity assessments and penetration tests to proactively detect vulnerabilities within critical infrastructure.

Beginning in February 2013, hackers used customized malware to infiltrate the internal computer systems of KT Corp., one of South Korea’s largest telecommunications providers. Over the course of approximately a year, attackers stealthily extracted sensitive personal and financial information from around 12 million KT customers. The compromised data included names, resident registration numbers, bank account details, and telephone numbers. Subsequently, the stolen information was sold to telemarketing firms that utilized it for fraudulent sales schemes. Authorities estimated that the hackers earned nearly $11 million through this illegal operation before law enforcement successfully apprehended the perpetrators. This extensive breach underscored significant vulnerabilities in data handling and internal monitoring practices within the telecom industry, resulting in substantial public outrage and tighter regulatory oversight in South Korea.

Prevention methods:

• Deploy advanced endpoint security and anti-malware solutions tailored to detect custom or sophisticated malware threats.

• Regularly monitor internal systems for anomalous data transfers or unusual activities to detect breaches swiftly.

• Implement rigorous security measures for critical databases, including strong encryption, access restrictions, and comprehensive logging.

Between February and July 2012, KT Corp., South Korea’s prominent telecommunications provider, experienced a severe data breach executed by a programmer who had created custom software to infiltrate the company’s customer information systems. Over approximately seven months, the attacker systematically extracted detailed personal profiles of around 8.7 million KT customers. The compromised data included sensitive personal identifiers such as names, phone numbers, resident registration numbers, and detailed customer profile information. The attacker then sold the stolen data for use in telemarketing and product promotions, significantly impacting customer privacy and leading to widespread consumer complaints. Following the discovery of the breach, South Korean authorities initiated investigations into whether KT Corp. had adequately fulfilled its legal obligations to safeguard customer data, placing increased scrutiny on corporate cybersecurity accountability.

Prevention methods:

• Conduct regular code audits and security assessments to detect unauthorized software or suspicious system activity.

• Strengthen system access controls and permissions, restricting sensitive data access to essential personnel only.

• Implement real-time monitoring and anomaly detection tools to quickly identify prolonged unauthorized access or data exfiltration attempts.

In September 2017, Hanatour, South Korea’s largest travel agency, suffered a ransomware attack resulting in the theft of personal records belonging to over 1 million customers. Attackers gained unauthorized access to the company’s customer database, extracting sensitive information including names, resident registration numbers, phone numbers, residential addresses, and email addresses. Following the breach, hackers demanded a ransom payment in Bitcoin, threatening to publicly release the stolen data if their demands were not met. Hanatour immediately reported the incident to authorities and initiated an extensive internal investigation. Despite swift response efforts, details regarding whether the ransom was ultimately paid remained undisclosed, highlighting the complex ethical and operational challenges posed by ransomware incidents. The attack drew public attention to vulnerabilities within South Korea’s travel and tourism industry, emphasizing the critical need for strengthened cybersecurity defenses against ransomware threats.

Prevention methods:

• Maintain secure, regularly updated backups of sensitive customer databases to mitigate the impact of ransomware.

• Implement comprehensive endpoint protection solutions specifically designed to detect and block ransomware attacks.

• Provide ongoing employee cybersecurity training, emphasizing the risks and responses associated with ransomware and phishing threats.

In April 2014, Citibank Korea experienced a cybersecurity incident involving the unauthorized access and extraction of personal data from approximately 34,000 customer accounts. The leaked information included names, phone numbers, email addresses, and limited account details, though it notably excluded sensitive financial credentials such as passwords and credit card numbers. Despite the absence of critical financial data, attackers utilized the compromised information to execute targeted voice phishing (vishing) scams aimed at defrauding customers through impersonation and manipulation. This incident significantly increased public anxiety surrounding financial fraud risks and prompted immediate warnings and heightened oversight from South Korean financial regulators. Citibank Korea responded quickly by enhancing security measures, reinforcing customer authentication procedures, and launching a detailed investigation into the intrusion.

Prevention methods:

• Strengthen external defenses and adopt comprehensive intrusion detection systems to prevent unauthorized access.

• Regularly educate customers about the risks associated with voice phishing and other social engineering techniques.

• Enhance security protocols around sensitive account information and continuously monitor for suspicious activities to detect and mitigate fraud attempts promptly.

In October 2018, hackers successfully infiltrated the Defense Acquisition Program Administration (DAPA), a key agency within South Korea’s Defense Ministry responsible for military equipment procurement. The attackers gained unauthorized access to approximately 30 government computers, stealing highly sensitive internal documents. These documents included confidential details regarding arms procurement programs, specifically involving next-generation fighter aircrafts, raising severe national security concerns. Investigators traced the breach back to a previously unknown vulnerability within security software installed on government systems, highlighting critical flaws in software security practices and patch management within sensitive government operations. The South Korean government swiftly launched a detailed investigation and enhanced cybersecurity measures, although the exact number of impacted individuals or accounts was not publicly disclosed.

Prevention methods:

• Conduct regular software and security audits on government networks to swiftly identify and remediate vulnerabilities.

• Implement robust patch management processes, ensuring timely software updates across all sensitive governmental infrastructure.

• Establish comprehensive real-time monitoring and intrusion detection systems to immediately recognize and mitigate potential cyber threats to critical national security assets.

In June 2024, Yes24, a leading South Korean online bookstore and ticketing service, was severely impacted by a ransomware attack that resulted in a complete system outage lasting five days. The attack halted nationwide operations, preventing customers from purchasing books and concert tickets, significantly disrupting essential digital commerce services. Approximately 120,000 customer records were compromised during the breach, with attackers gaining access to sensitive personal details including names, birth dates, email addresses, and phone numbers. The incident prompted an immediate internal investigation and extensive efforts to restore system functionality, highlighting critical vulnerabilities in cybersecurity preparedness among major South Korean e-commerce and digital services providers. This disruption underscored the broader risks cyberattacks pose to essential services, spurring increased attention to robust cybersecurity protocols within the sector.

Prevention methods:

• Maintain regular, securely stored backups of critical systems to minimize downtime in ransomware attacks.

• Implement advanced endpoint protection and real-time threat detection systems to rapidly identify and mitigate ransomware threats.

• Conduct frequent cybersecurity training and awareness programs to prepare employees against phishing and ransomware incidents.

After looking at the biggest data breaches that happened in South Korea up to 2025, we can notice a few observations that reoccur across these breaches:

Insider threats, originating from employees or contractors with legitimate system access, frequently pose significant security risks. These individuals may misuse their privileges, intentionally or unintentionally, exposing sensitive information. Additionally, many organizations depend heavily on third-party service providers, whose inadequate security practices can introduce vulnerabilities. To mitigate these risks, companies must enforce strict internal monitoring, regular access reviews, and rigorous security assessments for third-party partnerships.

Another frequent issue in South Korean cybersecurity incidents is attackers maintaining undetected access within compromised systems for extended periods. This prolonged intrusion allows cybercriminals ample time to thoroughly extract sensitive data without triggering alarms. Such undetected intrusions typically stem from insufficient real-time monitoring, inadequate intrusion detection systems, and a lack of proactive threat-hunting capabilities. To address these vulnerabilities, organizations should invest in advanced monitoring solutions, improve internal alert systems, and regularly conduct proactive security audits and threat assessments.

South Korea’s financial and telecommunications industries are frequently targeted due to their large repositories of sensitive customer and financial data. Cybercriminals specifically aim to exploit valuable personal information such as banking credentials, account details, and communication records, often for financial gain or identity fraud. These sectors must prioritize robust cybersecurity frameworks, implement stringent data encryption practices, and continuously enhance security measures to protect highly attractive and sensitive information.

Attackers frequently exploit vulnerabilities within software and systems widely used by South Korean organizations, taking advantage of both known weaknesses and previously undiscovered flaws. These vulnerabilities often result from delayed software updates, inadequate patch management processes, or overlooked security gaps in third-party applications. To effectively counter these threats, organizations must adopt rigorous vulnerability assessment practices, maintain timely patch management procedures, and continuously monitor software for emerging security risks.

South Korea’s experience with significant data breaches highlights critical gaps and vulnerabilities that organizations must urgently address. Insider threats, third-party risks, prolonged intrusions, targeted attacks on sensitive sectors, and exploitation of software vulnerabilities consistently emerge as primary areas of concern. These common patterns reveal that many breaches can be effectively prevented or minimized through improved internal monitoring, robust third-party oversight, timely software updates, and advanced threat detection practices.

For South Korean organizations, proactively strengthening cybersecurity infrastructure and establishing comprehensive response strategies are essential steps toward safeguarding sensitive data. By understanding past breaches and addressing these systemic vulnerabilities, businesses can better protect themselves and their customers in an increasingly sophisticated threat environment.