Daily Briefing is a curated listicle made available by The Readable. We select a handful of significant stories worth sharing with our readers and present them in an easy-to-read, accessible format.
South Korea is grappling with a wave of cybersecurity crises, as a string of data breaches and system failures spark public outcry and regulatory scrutiny. In the span of a few days, lawmakers have proposed tougher privacy laws in response to recent telecom hacks, two major universities have been hit with fines for leaking personal data due to long-standing security flaws, and a ransomware attack has crippled YES24, one of the country’s largest online bookstores and ticketing platforms. The incidents have intensified calls for stronger digital safeguards and more transparent incident response measures. Here’s what you need to know today.
Editor’s note: The Readable team will be taking a short break, and no new articles will be published until June 22. We’ll return on June 23 with fresh reporting and deeper insights to keep you informed. Thank you for your continued readership and understanding.
1. YES24 cyberattack sparks outage, customer outrage, and stock plunge – Korea Economic Daily
YES24, one of South Korea’s largest online bookstores and eBook platforms, has remained offline for four consecutive days following a ransomware attack that occurred in the early hours of June 9. The incident has paralyzed all major services—including book orders, event ticketing, and eBook access—causing significant disruption to users. eBook readers have been particularly vocal, as many are unable to open purchased titles that were not downloaded prior to the attack. Complaints have flooded online communities, with users expressing frustration over access to rare or time-sensitive content. Annual subscription users are also demanding compensation if service restoration is delayed.
The attack has also severely affected the concert and performing arts sector, for which YES24 is a key ticketing platform. Unable to access booking confirmations, some attendees have been denied entry to events, while others faced confusion at venues, encountering inconsistent admission policies. Several high-profile events, such as ENHYPEN’s fan signing and B.I’s fan club ticketing, were canceled or postponed due to system outages. Production companies have responded in varied ways, ranging from requiring printed confirmations to handing out unclaimed tickets randomly, leading to concerns over fairness and accountability.
Controversy has deepened due to YES24’s lack of transparency in its early response. The company initially labeled the situation as a “system check” and only acknowledged the ransomware attack on June 11, after it was publicly revealed by lawmaker Choi Soo-jin of the National Assembly’s Science, ICT, Broadcasting and Communications Committee. The Korea Internet & Security Agency (KISA) refuted YES24’s claim of close cooperation, stating that the company failed to provide technical support or engage in proper communication. Meanwhile, YES24’s stock price has dropped over 9% in three days, and the police have launched a preliminary investigation into the incident, including the scale of data leakage. Although YES24 claims full service recovery is expected by Sunday, many users remain skeptical, citing fears of potential personal data compromise.
- Related stories: [Daily briefing, June 10] South Korea’s leading online bookstore hit by ransomware
2. New bill seeks stronger corporate accountability in wake of SK Telecom data leak – Seoul Economic Daily
In response to recent data breaches, most notably the hacking incident involving SK Telecom, a new legislative initiative has been introduced in the South Korean National Assembly to strengthen corporate accountability for personal data protection. On June 12, Representative Lee Hae-min of the Rebuilding Korea Party proposed two key bills: an amendment to the Personal Information Protection Act and another to the Act on Promotion of Information and Communications Network Utilization and Information Protection.
The proposed amendment to the Personal Information Protection Act, informally dubbed the “Individual Notification Mandate Bill,” would legally require companies to individually notify affected users—via phone, text, email, or mail—whenever a personal data leak occurs. Companies would also be obligated to report preventive measures and protection plans to both the affected individuals and the Personal Information Protection Commission. This initiative comes after SK Telecom faced criticism for failing to notify its subscribers promptly after its system was breached.
The second bill, referred to as the “Compulsory Penalty Levy Bill,” proposes financial penalties for companies that hinder government investigations by refusing to submit documents or by submitting false information. Penalties would be based on the company’s revenue, or default to 2 million won (roughly $1,500) per day if revenue-based calculation is not possible. This measure aims to strengthen enforcement compared to the current maximum fine of 10 million won (roughly $7,500). Representative Lee emphasized that while preventing all cyber incidents may not be feasible, ensuring timely and transparent communication with users is a non-negotiable corporate responsibility.
- Related stories: [Weekend Briefing] Exodus
- Related stories: SK Telecom hacking incident raises concerns over USIM security
3. South Korean regulator sanctions two universities over data breaches affecting 400,000 individuals – PIPC
On June 11, the Personal Information Protection Commission of South Korea (PIPC), chaired by Koh Hak-soo, imposed a total of KRW 966 million (roughly $720,000) in fines and KRW 5.4 million (roughly $4,000) in administrative penalties on Jeonbuk National University and Ewha Womans University for violating the Personal Information Protection Act. Both universities were found to have neglected essential data security measures, resulting in large-scale personal data breaches. The commission also issued corrective orders, public disclosure requirements, and disciplinary recommendations.
Jeonbuk National University suffered a major breach between July 28 and 29, 2024, when a hacker exploited long-standing vulnerabilities—including SQL injection and parameter tampering—in the university’s academic information system. These flaws had existed since the system was first deployed in December 2010. Approximately 320,000 individuals’ personal data, including 280,000 resident registration numbers, were stolen. The university failed to detect abnormal traffic over the weekend due to inadequate off-hours monitoring. Additionally, it was found to have unlawfully retained 233 resident registration numbers collected between 1997 and 2001, in violation of regulations introduced in 2014.
Ewha Womans University experienced a similar breach from September 2 to 3, 2024, when a hacker accessed the university’s integrated administrative system through a vulnerability that allowed parameter tampering without proper session validation. The attack led to the exposure of personal data—including resident registration numbers—of about 83,000 current and former undergraduate students through roughly 100,000 unauthorized input attempts. The vulnerability had been present since the system’s launch in November 2015. Like Jeonbuk National University, Ewha was found to lack effective security monitoring during nights and weekends, enabling the attack to go undetected in real time.
Editor’s note: Each item in this briefing was initially summarized or translated by ChatGPT-4o based on the author’s specific instructions, which included news judgment, fact-checking, and thorough editing before publication.
