SK Innovation E&S is alleged to have become aware of a hack in November 2022 but reported it to security authorities only 4 years later.

Materials received from the Korea Internet & Security Agency (KISA) and SK E&S by the office of Min Hee-hee (최민희), a Democratic Party lawmaker who chairs the National Assembly's Science, ICT, Broadcasting and Communications Committee, show the security incident occurred on Sept. 30, 2022. The company conducted its own security inspection after receiving an internal report of abnormal network activity on Nov. 3 that year and identified the breach the next day.

SK E&S had failed to apply software security updates on an outdated server for an extended period. As a result, a hacker exploited vulnerabilities in the outdated server and broke in, and the damage later spread to other servers. The company responded after identifying the first incident by checking for traces of hacking, changing employee passwords, formatting and reinstalling servers, and operating solutions to detect residual threats and additional attacks. A second incident was detected in December, a month later, and additional security measures followed. It was confirmed that 13GB of internal account information and 2GB of data including emails on servers were leaked in the first and second incidents, respectively.

Min's office said it began verifying the facts for about 2 months after receiving a tip in February about the SK E&S server breach. After the Ministry of Science and ICT also launched an investigation, SK E&S filed a breach report with KISA on March 26 this year. Under the current Information and Communications Network Act, a company must report to the government within 24 hours of becoming aware of a breach. However, Min's office said materials submitted by SK E&S showed the company handled the incident internally, and some related data are now missing because hacked servers needed for the investigation were discarded or had their operating systems reinstalled.

The Ministry of Science and ICT and KISA are investigating the incident, but are facing difficulties because servers needed for the probe have been disposed of, Min's office said. Min's office said SK E&S replied that it formatted servers to respond quickly at the time, or disposed of them after the retention period expired, and that it did not intentionally delete them.

Min said hacking at a national core facility in the private sector must be managed and supervised in close cooperation with the government. She said the Ministry of Science and ICT should conduct a thorough investigation to uncover the truth.