( December 8, 2025, 04:42 GMT | Official Statement) -- MLex Summary: South Korea is preparing to overhaul its information-security and privacy certification regime for companies holding large volumes of personal data, following a string of high-profile breaches at certified firms. The changes, led by the Ministry of Science and ICT and the Personal Information Protection Commission, would in effect make ISMS-P certification mandatory for key personal-information systems at public bodies, telecom operators and online platforms, while tightening criteria for large platforms and other high-risk operators. Authorities plan to revamp audit methods, expand technical and on-site inspections, and allow certification to be denied or cancelled when serious deficiencies are detected. Companies hit by data breaches will face special follow-up audits, and about 900 ISMS-certified telecom and online-shopping operators have been told to run self-checks for security vulnerabilities ahead of the on-site inspections the government aims to complete by the first quarter of 2026.The statement is attached (in Korean)....
Prepare for tomorrow’s regulatory change, today
MLex identifies risk to business wherever it emerges, with specialist reporters across the globe providing exclusive news and deep-dive analysis on the proposals, probes, enforcement actions and rulings that matter to your organization and clients, now and in the longer term.
Know what others in the room don’t, with features inclu
TÜV Rheinland Group cybersecurity rating report: https://www.rankiteo.com/company/tuv-rheinland-group
"id": "TUV1765188618",
"linkid": "tuv-rheinland-group",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Government',
'location': 'South Korea',
'name': None,
'size': None,
'type': 'Public Bodies'},
{'customers_affected': None,
'industry': 'Telecommunications',
'location': 'South Korea',
'name': None,
'size': None,
'type': 'Telecom Operators'},
{'customers_affected': None,
'industry': 'E-commerce/Technology',
'location': 'South Korea',
'name': None,
'size': None,
'type': 'Online Platforms'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personal Data'},
'date_publicly_disclosed': '2025-12-08',
'description': 'South Korea is preparing to overhaul its '
'information-security and privacy certification '
'regime for companies holding large volumes of '
'personal data, following a string of '
'high-profile breaches at certified firms. The '
'changes, led by the Ministry of Science and ICT '
'and the Personal Information Protection '
'Commission, would make ISMS-P certification '
'mandatory for key personal-information systems '
'at public bodies, telecom operators, and online '
'platforms, while tightening criteria for large '
'platforms and other high-risk operators. '
'Authorities plan to revamp audit methods, expand '
'technical and on-site inspections, and allow '
'certification to be denied or cancelled when '
'serious deficiencies are detected. Companies hit '
'by data breaches will face special follow-up '
'audits, and about 900 ISMS-certified telecom and '
'online-shopping operators have been told to run '
'self-checks for security vulnerabilities ahead '
'of on-site inspections.',
'impact': {'brand_reputation_impact': 'High',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing (on-site inspections planned '
'for Q1 2026)',
'lessons_learned': 'High-profile breaches at certified firms '
'highlighted gaps in the existing '
'certification regime, necessitating stricter '
'oversight and mandatory compliance for '
'high-risk operators.',
'post_incident_analysis': {'corrective_actions': 'Mandatory '
'ISMS-P '
'certification '
'for high-risk '
'operators, '
'revamped audit '
'methods, '
'expanded '
'inspections, '
'and stricter '
'enforcement of '
'compliance.',
'root_causes': 'Inadequate security '
'measures and '
'oversight in the '
'existing '
'certification regime '
'led to high-profile '
'breaches at certified '
'firms.'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Companies should prepare for stricter '
'audits, self-assess security '
'vulnerabilities, and ensure compliance with '
'the new ISMS-P certification requirements to '
'avoid denial or cancellation of '
'certification.',
'references': [{'date_accessed': '2025-12-08',
'source': 'MLex',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'ISMS-P '
'certification '
'changes '
'announced'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Official statement '
'released',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Revamped audit methods, '
'expanded technical and '
'on-site inspections, '
'self-checks for security '
'vulnerabilities',
'third_party_assistance': None},
'stakeholder_advisories': 'Regulatory changes announced; '
'affected entities advised to conduct '
'self-checks and prepare for audits.',
'title': 'South Korea Overhauls Information-Security and Privacy '
'Certification Regime Following High-Profile Breaches',
'type': 'Regulatory Overhaul'}}