A fire at a crucial data center sparked debate about South Korea's readiness to handle cybersecurity issues without a central cybersecurity control tower.
On Friday, September 26, 2025, a fire burned through South Korea’s National Information Resources Service (NIRS). The NIRS holds more than one-third of the government’s datacenters directing the country’s cyber infrastructure. The blaze, which continued for 22 hours as firefighters were forced to use fire suppression systems instead of the typical approach with water, was started when a lithium-ion battery in a server room caught fire when workers attempted to replace it. Besides the first-degree burns that a worker suffered in the incident, the fire had serious consequences for South Korean government systems.
The next morning, 647 government IT systems were shut down due to concerns about the fire’s effect on the air conditioning and dehumidifying systems leading to the remaining servers overheating. The temporary shut down pulled mobile identification services, postal banking, complaint portals, major government sites, government email along with intranet systems all offline. This meant that many regular processes involving digital verification tools had to be put on pause - student records became inaccessible, certain tax payments had to be delayed, and real estate purchases had to be paused without the necessary document verification. In the worst cases, some hospitals had to turn away citizens who did not have physical identification on hand.
That day, at an emergency press briefing, Vice Minister Kim Min-jae encouraged South Koreans to use different sites or offline offices as an alternative to the services that were no longer available while the Interior Ministry worked to fix the issue. The Interior Ministry has made some progress - by Tuesday, September 30th, at least 89 (about 14%) of the 647 systems were back up and running. They also shared their expectations that systems not directly impacted by the fire would be restored in one to two weeks. Still, 96 of the 657 systems (about 15%) were entirely lost due to the fire, and moving these to a backup facility is expected to take a month - at least two weeks longer than what was first predicted by the Ministry - meaning the disruptions are likely to linger.
The aftermath of the NIRS fire has resulted in many voicing their disappointment and frustration at the incident’s impact. Even with the President Lee Jae Myung apologizing for the crisis, saying: “The public is experiencing great inconvenience and anxiety because of the fire. As the nation's top executive, I offer my sincere apologies,” there has been an outcry from newspapers and citizens alike. An editorial in Hankyoreh, a Korean paper, slammed the fire as “a flabbergasting disaster in a country that calls itself an IT powerhouse”.
It’s true that South Korea is renowned for their technological advancements, with the nation ranking fourth in the 2025 Global Innovation Index and second in the US News list of countries with the most Technological Expertise. This alone would make the persistence of this disruption striking, but the reason that this event is stirring so much ire is because it’s happened before - and despite legislation being passed to prevent the disaster, there have been no apparent changes in the government’s ability to respond since the first incident.
In 2022, a different data center fire at Kakao Corp. (the company behind KakaoTalk, an extremely popular messaging service in South Korea with more than 45 million users at the time) affected services in business, finance, and transportation on top of social networking. The service was used so widely that even taxi drivers had trouble functioning in the outage. Calls for managing the company’s monopoly led to legislation requiring IT service providers to have a set of preventive measures, like a data redundancy system and a disaster recovery plan.
Outside of the Kakao shutdown, a 2023 outage of a network administrative systems also gave rise to criticism about the lack of a data redundancy system in the case of an outage. Efforts to establish a cloud center with disaster recovery systems have been delayed for more than a decade, and a 25.1 billion won ($17.9 million) budget in 2024 meant for improving IT infrastructure was never used - seemingly representing a low prioritization of cybersecurity in government, despite the high-profile response to the private sector Kakao incident.
Even before the fire, the Board of Audit and Inspection (BAI) launched an audit on the NIRS in 2024 as part of a larger investigation into administrative information systems. The report, which was released on Monday, September 29th, attributed part of the 2023 incident to a defective port in a router that was “significantly aged.” The NIRS itself noted that old equipment (IT equipment used for over seven years) failed at rates at least 200% higher than newer equipment. The audit found that just over a third (34.6%) of the equipment were outdated, partially due to the help of delayed replacement budgets.
The NIRS fire comes amidst a larger trend of cyber attacks in South Korea, putting a spotlight on the nation’s cybersecurity posture. In just 2025, there’s been at least one major cybersecurity incident nearly every month. These hacks have targeted the finance, communications, technology industries, along with the government, increasing the likelihood of everyday citizens being affected in a highly digitized country.
In just September, KT, a large telecom operator, experienced a breach that revealed data from over 5,500 subscribers. Lotte Card, a credit card company with the largest distribution network in Korea, also weathered an attack that compromised 200 GB of data from nearly 3 million customers. Part of the issue may be the small cyber workforce, but others are pointing to the lack of an organized government protocol around cybersecurity.
In an interview with TechCrunch, Chief Executive of Seoul-based cybersecurity firm Theori, Brian Pak specifically discussed the nation’s cyber MO: “The government’s approach to cybersecurity remains largely reactive, treating it as a crisis management issue rather than as critical national infrastructure,” meaning they look for “quick fixes” after cyber incidents without dedicating time and resources to supporting critical IT infrastructure.
A prevailing solution to improving the infrastructure is the development of a cybersecurity control tower. At the moment, South Korea does not have a centralized agency to act as the first responder to cyber incidents. Instead, the responsibility to respond to hacks is divided based on the kind of attack: personal data breaches in the private sector are addressed by the Korea Internet and Security Agency under the Ministry of Science and ICT (MSIT), finance-related hacks are overseen by the Financial Services Commission, and cyber attacks on public institutions are managed by the National Intelligence Service. Adding to this disconnection, these agencies have different requirements for incident reporting and don’t always collaborate even when the cyberattacks may include more than one category.
CEO of ENKI WhiteHat (an offensive security service firm), Lee Sung-kwon, made some recommendations for restructuring: “Each specialized agency should carry out its role, but there also needs to be a body to provide direction and coordination. For example, if Chinese hackers are suspected for a case, the National Cybersecurity Center should be involved, the police need to investigate and related organizations such as the FSI should also be engaged.”
It’s worth noting that some, like Pak, see a centralized authority for these incidents as a path to presidential overreach in the event of politicization. They might suggest a central authority with independent oversight to bolster a chain of accountability without handing too much power over to one agency.
While the conversation about a consolidated cybersecurity agency continues, South Korea is making strides to improve their cybersecurity posture in other means. On Monday, September 22nd, the Office of National Security announced plans to create comprehensive cybersecurity measures as a response to the hacking incidents throughout the year. The Friday before, the Second Vice Minister of the MSIT, Ryu Je-myung, discussed changes to penalties around cyber incident reporting: “Companies that intentionally delay or fail to report cyber intrusions will face significantly heavier penalties.” In contrast, the Cybersecurity Information Sharing Act in the US, which helped the private sector to share information on cyber incidents with the government, quietly expired as a result of the ongoing government shutdown.
Ryu also revealed that restructuring was on the horizon, saying: “We will overhaul the entire security architecture from the ground up. This is not a time for temporary fixes – we are looking to implement long-term, fundamental solutions”. While this comment was made in response to the string of hacks in September instead of the NIRS data center fire, reorganizing the government for better cyber infrastructure could lead to an easier recovery process in the event of another crisis.