A hacked company is a victim. But being a victim does not grant absolution. In Korea, expectations regarding moral responsibility — separate from legal liability — tend to be set very high. When a company entrusted with customer data fails to protect it, the weight of responsibility falls on the company first, regardless of who the attacker is. It may feel unjust, but that is how it works. A crisis is not fair. Yet the real problem lies in what comes next.
Primary damage is a past event. It has already occurred. It cannot be undone. But secondary damage is a future event. It has not yet occurred. It can be prevented. Humans feel far stronger anger toward damage that could have been prevented but was not, than toward damage that could not have been controlled. Hacking itself is sometimes perceived as an unavoidable risk to a certain degree. But a company that neglects secondary damage is hard to forgive. Public opinion reads such neglect as negligence and indifference, and at times as evidence of incompetence. Leaked information moves quietly. Voice phishing, smishing, identity theft, SIM cloning — once leaked, information is used for a long time, repeatedly, passing through many hands. If primary damage is an incident, secondary damage is a disaster.
In January 2023, LG Uplus customer information was found on the dark web. The company did not discover it on its own. The Korea Internet & Security Agency detected it first and notified the company. There was an explanation that fact-checking and internal reporting took time, but the first notice came only eight days after the notification. It was posted quietly on the website. The notice consisted of a single line: "Personal information may be used inappropriately, so please be careful." There was no instruction to change passwords, no mention of reporting suspicious financial transactions, no warning to watch for voice phishing. Customers were left alone. The door to secondary damage remained open for eight days. The scale of damage was later revised three times — from 180,000 to 290,000, and again to 396,000. The Personal Information Protection Commission imposed a fine of 6.8 billion won. The official judgment — "information protection investment significantly lower than that of competitors" — was left on the record.
Failing to prevent preventable damage is no different from causing the damage. This is called liability for omission (不作爲). It is responsibility that arises from not acting. Public opinion effectively judges a company that neglects secondary damage as equivalent to the perpetrator.
In April 2025, SK Telecom suffered a hacking incident that leaked SIM authentication data for approximately 23 million subscribers. The initial notice drew criticism for heightening customer anxiety. But SKT changed direction. Instead of debating the cause, it shifted the front line to blocking secondary damage. It began offering free SIM replacements for all subscribers at stores nationwide. It promised 100% compensation for secondary damage to those who signed up for its SIM protection service. Financial authorities recommended the use of a service blocking non-face-to-face account openings, and enrollment surged. The core was singular: to nullify the effectiveness of information that had already been leaked. If primary damage cannot be undone, cut the path through which it spreads into secondary damage. The Personal Information Protection Commission ultimately imposed a large fine. But security experts rated the secondary-damage blocking measures as "preemptive and realistic." Within the scope disclosed so far, no large-scale secondary damage has been confirmed.
There are three principles a company must uphold in a personal information leak crisis. The first is speed. Secondary damage begins immediately after the leak. Each day the notice is delayed is another day the possibility of damage remains open. The second is specificity. "Please be careful" is not guidance. A company must say what to change, where to report, and how to respond. The third is preemptiveness. Cleanup after damage has been reported is not a response. Moving before damage occurs is true crisis management.
The front line of a crisis is not determined at the moment the hack occurs. It is determined by what the company does afterward. A hack makes a company a victim. But a company that neglects secondary damage turns itself into a perpetrator.
