Recent legislation in South Korea requires companies to report hacking incidents that occur within their systems, intending to enhance cybersecurity protocols. However, a disturbing oversight has been uncovered: there are no specific penalties established for companies that make false reports regarding hacking incidents. According to information submitted by representative Lee Haemin to the Korea Internet & Security Agency (KISA), the current Information and Communications Network Act does not outline any sanctions for deceptive reporting, which could undermine the law's objective of improving transparency and accountability.

The issue has been exemplified by a recent hacking incident involving seller accounts on AliExpress, where a significant sum of money was compromised, yet the company failed to report the incident to law enforcement immediately. Instead, they inaccurately stated that the police had been notified within their report to KISA. This led to an investigation only starting four months later, following media scrutiny. Observers are concerned that without strict repercussions for false reports, companies may continue to conceal information about hacking incidents, thereby hindering efforts to address and prevent such cybercrimes effectively.

Experts, such as Kim Do-sung, the chairman of the Personal Information Protection Law Association, emphasize that incident reports are not merely procedural; they play a crucial role in mitigating additional harm. Therefore, the lack of consequences for concealing hacking incidents presents a significant gap in the legal framework. To strengthen the licensing and accountability of companies, there is a call for implementing heavy fines or additional sanctions for those who willfully obscure the full truth of their hacking incidents, which could ultimately foster a culture of transparency and responsibility in corporate cybersecurity practices.