( December 8, 2025, 04:42 GMT | Official Statement) -- MLex Summary: South Korea is preparing to overhaul its information-security and privacy certification regime for companies holding large volumes of personal data, following a string of high-profile breaches at certified firms. The changes, led by the Ministry of Science and ICT and the Personal Information Protection Commission, would in effect make ISMS-P certification mandatory for key personal-information systems at public bodies, telecom operators and online platforms, while tightening criteria for large platforms and other high-risk operators. Authorities plan to revamp audit methods, expand technical and on-site inspections, and allow certification to be denied or cancelled when serious deficiencies are detected. Companies hit by data breaches will face special follow-up audits, and about 900 ISMS-certified telecom and online-shopping operators have been told to run self-checks for security vulnerabilities ahead of the on-site inspections the government aims to complete by the first quarter of 2026.The statement is attached (in Korean)....
Prepare for tomorrow’s regulatory change, today
MLex identifies risk to business wherever it emerges, with specialist reporters across the globe providing exclusive news and deep-dive analysis on the proposals, probes, enforcement actions and rulings that matter to your organization and clients, now and in the longer term.
Know what others in the room don’t, with features inclu
SK Telecom cybersecurity rating report: https://www.rankiteo.com/company/sk-telecom
"id": "SK-1765174633",
"linkid": "sk-telecom",
"type": "Breach",
"date": "12/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Government',
'location': 'South Korea',
'name': None,
'size': None,
'type': 'Public bodies'},
{'customers_affected': None,
'industry': 'Telecommunications',
'location': 'South Korea',
'name': None,
'size': None,
'type': 'Telecom operators'},
{'customers_affected': None,
'industry': 'E-commerce / Digital '
'Services',
'location': 'South Korea',
'name': None,
'size': 'Large (900 certified operators)',
'type': 'Online platforms'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personal '
'information)',
'type_of_data_compromised': 'Personal data'},
'date_publicly_disclosed': '2025-12-08',
'description': 'South Korea is preparing to overhaul its '
'information-security and privacy certification '
'regime for companies holding large volumes of '
'personal data, following a string of '
'high-profile breaches at certified firms. The '
'changes, led by the Ministry of Science and ICT '
'and the Personal Information Protection '
'Commission, would make ISMS-P certification '
'mandatory for key personal-information systems '
'at public bodies, telecom operators, and online '
'platforms, while tightening criteria for large '
'platforms and other high-risk operators. '
'Authorities plan to revamp audit methods, expand '
'technical and on-site inspections, and allow '
'certification to be denied or cancelled when '
'serious deficiencies are detected. Companies hit '
'by data breaches will face special follow-up '
'audits, and about 900 ISMS-certified telecom and '
'online-shopping operators have been told to run '
'self-checks for security vulnerabilities ahead '
'of the on-site inspections the government aims '
'to complete by the first quarter of 2026.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Regulatory compliance '
'requirements for security '
'audits and certifications',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing (on-site inspections to be '
'completed by Q1 2026)',
'lessons_learned': 'High-profile breaches at certified firms '
'highlighted gaps in existing security and '
'privacy certification regimes, necessitating '
'stricter audit methods and mandatory '
'certifications for high-risk sectors.',
'post_incident_analysis': {'corrective_actions': 'Mandatory '
'ISMS-P '
'certification '
'for high-risk '
'sectors, '
'revamped audit '
'methods, '
'expanded '
'inspections, '
'and stricter '
'criteria for '
'certification.',
'root_causes': 'Inadequate security '
'measures and '
'certification gaps in '
'existing ISMS-P '
'framework leading to '
'high-profile '
'breaches.'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Companies should proactively assess security '
'vulnerabilities, prepare for expanded '
'technical and on-site inspections, and '
'ensure compliance with updated ISMS-P '
'certification criteria to avoid denial or '
'cancellation of certification.',
'references': [{'date_accessed': '2025-12-08',
'source': 'MLex',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'ISMS-P '
'certification '
'requirements '
'updated, '
'special '
'follow-up '
'audits '
'for '
'breached '
'companies'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Official statement (in '
'Korean)',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Self-checks for security '
'vulnerabilities, on-site '
'inspections, revamped '
'audit methods',
'third_party_assistance': None},
'stakeholder_advisories': 'Public bodies, telecom operators, and '
'online platforms must comply with new '
'ISMS-P certification requirements and '
'prepare for audits.',
'title': 'South Korea Overhauls Information-Security and Privacy '
'Certification Regime Following High-Profile Breaches',
'type': 'Regulatory Change / Policy Overhaul'}}