• SK Telecom has been investigated following a major data breach that was reported in April 
• The South Korean government has deemed the operator negligent, will issue a small financial penalty and initiate a further probe
• SK Telecom has expressed ‘deep regret’ and has introduced a new accountability programme to ‘rebuild customer trust’
• It will invest $514m over the next five years to shore up its security systems and processes

SK Telecom has introduced its Accountability and Commitment Program, which includes a $514m investment in new security systems and processes, to “rebuild customer trust” after the South Korean government found the operator to have been “negligent” in dealing with the security breach that resulted in the theft of subscriber data earlier this year. 

As has been widely reported, SK Telecom (SKT) suffered a disastrous security breach and data leak, first reported on 19 April, after malware infected its Home Subscriber Server (HSS). Subscriber information, including authentication keys for up to 23 million SK Telecom mobile subscribers, was extracted by the hackers and as the operator scrambled to deal with the hack and replace SIM cards, customers churned to SKT’s rivals, KT Corp and LG Uplus – see SK Telecom sheds subs in wake of disastrous data breach.

The South Korean government has now concluded an investigation into the incident. It found SKT to be “negligent” due to “poor account information management,” an “inadequate response to past breaches” (the operator apparently realised its systems had been infected as long ago as 2022 but did not report the breach) and “insufficient encryption of important information,” the Ministry of Science and ICT noted in this announcement (in Korean). It found that 25 types of subscriber data relating to 26.96 million accounts had been leaked.    

Because SKT didn’t report that initial breach as required by law, the ministry said it will impose a fine of up to 30 million won (just $22,000) and refer the company for further investigation over its alleged violation of a data preservation order, as some of its servers could not be properly inspected by investigators. 

The operator issued an announcement to note that it “acknowledges the findings of the joint public-private investigation and expresses its deep regret regarding the cybersecurity incident. We sincerely apologise to our customers and to society for the inconvenience and concern this incident has caused, and we are committed to taking all necessary steps to ensure this does not happen again.”

As part of its Accountability and Commitment Program, SKT is introducing an Information Protection Innovation Plan, which it describes as “the largest investment in the telecommunications industry to elevate its information protection system to global top-tier standards.”

It is to invest 700bn won ($514m) over the next five years “to expand security teams, improve systems and elevate information protection to top-tier standards. The company plans to double its information protection team by hiring industry experts and developing in-house talent.” And “to support the growth of the Korean information protection industry, SK Telecom will establish a KRW10bn [$7.3m] fund to strengthen Korea’s cybersecurity industry. The fund is set to be used for fostering talent in collaboration with prestigious universities specialising in information security, operating industry-academic partnership programmes, and supporting the discovery and development of promising information security startups.”

SKT will also revamp its chief information security officer (CISO) role to report directly to the CEO, “strengthening its responsibilities within the company”. In addition, “the board of directors will include a cybersecurity expert to ensure stronger security decision-making and execution at the executive level,” and the operator will “establish a Red Team, tasked with continuously checking and improving security vulnerabilities, building a practical and proactive security system” to proactively address security vulnerabilities from the attackers’ perspective. It will also apply a 

Zero Trust-based Information Protection System and “expand the scope of its Personal Information & Information Security Management System (ISMS-P) certification to include telecommunications infrastructure and enterprise-wide systems, beyond key business systems and major telecommunications and IT services.” 

The Accountability and Commitment Program also includes: The Customer Assurance Package (SIM protection) that was introduced after the data breach; a Customer Appreciation Package made available to all 24 million customers who use SKT mobile services, and those signed up to its  MVNO partners, which includes a 50% bill reduction for August and an extra 50 gigabytes of data per month until the end of this year as well as other benefits; and the cancellation of subscription cancellation fees  for any customers who were subscribed to SKT before midnight on 18 April and who either cancelled their subscription after the cybersecurity incident or intended to cancel it by 14 July. 

SKT estimates the cost of the Customer Appreciation Package will be about 500bn won ($367m): Reuters reports that the operator has reduced its full year earnings forecast by 800bn won ($587m) to account for the impact of that initiative and other associated costs.

Full details of SKT’s Accountability and Commitment Program can be found in this announcement. 

- Ray Le Maistre, Editorial Director, TelecomTV