Telecom companies’ annual ESG reports have been put to an unexpected test. Information security, presented as a key item, has lost credibility in the face of repeated hacking incidents. Critics say gaps exposed during actual incidents, unlike the efforts highlighted, are weakening the reports’ persuasiveness.

According to the telecom industry on Tuesday, the three carriers, including SK Telecom, KT and LG Uplus, publish ESG reports each year running to hundreds of pages. In the reports, they have presented key security tasks such as expanding information security investment, upgrading management processes and strengthening employee training. Phrases such as integrated security monitoring, regular training and ensuring data subjects’ rights are also included. From the reports alone, South Korea’s telecom security system reads as if it has largely stabilised.

But as security incidents continue, doubts are growing over whether the response processes outlined in the reports actually worked. An industry official said, "The reports make the response system look perfect, but during incidents controversies such as delayed reporting or confusion in response keep recurring." The official added, "There is a need to check whether it was just creating sentences for the report."

◆ They stressed 'strengthening the security system'... trust shaken by repeated incidents

For example, in its 2024 report published in May last year, SKT highlighted pursuing a zero-trust system and operating an integrated monitoring centre as key security strategies. In the data security section of its information security policy, it wrote that it encrypts important data to fundamentally block unauthorised access.

But after cases of a large-scale SIM information leak and malware infection were reported last year, criticism emerged that the risk response emphasised in the report did not sufficiently work in real situations. In the report published after the hacking incident became known in April, SKT stressed, "We will do our utmost to strengthen the security system to protect customer information and prevent recurrence so that all customers can feel at ease."

KT’s ESG report stressed regular drills to prepare for intrusion incidents and a rapid response system. In the incident response section, it explained, "Employees who become aware of an intrusion incident report it to the information security manager for the relevant division using various channels." However, KT was criticised for belatedly reporting an unauthorised small-amount billing incident last year.

A joint public-private investigation found basic security loopholes, including using the same manufacturer certificate for all femtocells and setting its validity period to 10 years. It also exposed a structural vulnerability in which telecom encryption could be lifted, allowing SMS or voice-call ARS authentication information to be stolen.

LG Uplus, through its ESG report, stressed not only its security system but also its organisation and procedures. It highlighted achievements in strengthening its security organisation, such as enacting and revising company-wide information security rules and guidelines, operating a company-wide security consultative body and running an external information security advisory committee. But after signs of an intrusion at a security partner, it was confirmed that some servers were reinstalled or discarded, raising suspicions of concealing the incident. The government has viewed LG Uplus’ actions as an inappropriate measure and has referred the case to police for investigation on suspicion of obstruction of official duties.

◆ ESG results are good but incidents keep recurring

There are also disappointed voices over the three carriers’ ESG evaluation results. In a 2025 assessment by the Korea Institute of Corporate Governance and Sustainability (KCGS), SKT, KT and LG Uplus all received an overall A grade. Telecommunications is a key infrastructure industry directly linked to daily life. But with repeated security incidents and signs of poor management confirmed, critics say the current ESG evaluation system does not properly reflect incident response capability and accountability.

Experts stress that telecom companies’ security systems must become core governance rather than mere words. They say upgrading monitoring and solutions is basic, and the entire process of prevention, detection, response and reporting must work organically.

Yeom Heung-yeol (염흥열), an emeritus professor in the Department of Information Security at Soonchunhyang University, said, "It must not end with simply establishing security measures." He added, "A governance system is needed to verify effectiveness." He also said ESG reports should specifically describe whether policies were properly applied under the direction of the chief information security officer, from policy establishment and implementation to enforcement and confirmation of effectiveness.

A security industry official said, "The outside must be able to judge whether a company fulfilled its responsibilities." The official added, "Introducing security solutions is basic, and it should include the budget execution process and the operating flow of security processes."