• SK Telecom’s major data breach was the result of basic security failings and ‘management laxity’, according to South Korea’s Personal Information Protection Commission (PIPC)
• The PIPC has imposed a record fine for SKT’s violation, but the fiscal punishment is a drop in the ocean compared with the hit the telco will take in costs, lost revenues and a damaged reputation

South Korea’s data protection regulator, the Personal Information Protection Commission (PIPC), has imposed a record fine on SK Telecom (SKT) and issued a scathing report on the telco’s failings that led to the major cyber incident and data breach suffered by the telco, which was first reported to the country’s authorities in April. 

But the fine of 134.8bn Korean won ($97.2m), plus an administrative penalty of 9.6m won ($7,000), “imposed for violation of safety measures and breach of leak notification requirements”, is a drop in the ocean for SK Telecom, which recently reported second-quarter revenues of 4.34tn won ($3.12bn).  

And it’s nothing compared with the expected hit on the operator’s revenues, costs, margins, customer base and reputation, all of which are set to be negatively impacted in the coming quarters as a result of the data breach and the scathing report issued by the PIPC. 

SK Telecom has already committed to a $514m investment related to its Accountability and Commitment Program, which was introduced as part of its efforts to “rebuild customer trust” in early July, by which time it had lost more than 800,000 mobile customers to its domestic rivals – see KT, LG Uplus make hay as SKT suffers.

The operator’s remaining customers – which numbered almost 22 million mobile users at the end of June – will not be encouraged by the findings of the PIPC’s investigation and might be tempted to churn to a rival mobile operator, especially as SKT has been forced to cancel any contract termination fees until the end of this year for customers that decide to jump ship.   

The PIPC noted in its report (in Korean) that the “key digital personal information” of about 23.24 million 4G and 5G users was “leaked due to hacking of multiple systems that play a key role in the mobile communication services provided by SKT,” with the regulator noting that the data leak was “due to negligence in [the] management of key mobile communication networks and systems.” Violations of the protection law were confirmed, including “vulnerability to external intrusion due to insufficient firewall settings, poor management of server account information (ID/PW), failure to implement encryption, and negligence in preventing malicious programs.” Essentially, SKT left the digital door open and the hackers walked in. 

The investigation found that the cybercriminals “first infiltrated SKT’s internal network in August 2021 and installed malicious programs on multiple servers, secured an additional base by installing malicious programs in the ICAS (Integrated Customer Authentication System) in June 2022,” and eventually leaked users’ personal information that was stored in SKT’s HSS (home subscriber server) database on 18 April 2025. 

The PIPC added: “An investigation into SKT’s personal information processing and management practices and compliance with the Personal Information Protection Act revealed that this incident was caused by SKT’s failure to adhere to basic security measures and management laxity… SKT was not even implementing basic access control, and the security operating environment between the internet and internal network was being managed and operated in a state that was highly vulnerable to illegal hacker intrusion,” noted the regulator.

It continued: “SKT operated its internet, management, core and internal networks as a single network, allowing unrestricted access to its internal management server from the internet (domestic and international). Furthermore, even though the management server did not require interconnection with the HSS where this leak occurred, this allowed for this, allowing hackers to access the HSS from the internet and transmit SIM card information stored in the HSS database to external sources. Furthermore, SKT neglected to detect and respond to illegal data breach attempts, including failing to review the intrusion detection system’s abnormal activity logs. Specifically, despite confirming that hackers had accessed the HSS server in February 2022, SKT failed to check for abnormal communications, the installation of additional malware, or the adequacy of its access control policies, thereby missing an opportunity to prevent this breach in advance.” 

One of SKT’s failings identified by the regulator relates to the role of its chief privacy officer (CPO). “Although SKT processes personal information for the purpose of providing mobile communication services in both the IT and communications infrastructure sectors, the role of the chief privacy officer (CPO) is structured and operated to be limited to the IT sector (web and app services such as Tworld). Accordingly, it was confirmed that the infrastructure area where this leak occurred was not effectively managed or supervised by the CPO, as the CPO was not even aware of the actual status of personal information processing.”  

The PIPC provides further details of SKT’s cybersecurity shortcomings, its failure to report identified vulnerabilities and to even notify its customers within the required 72-hour period once it realised subscriber data had been leaked. All in all, the report makes for shocking reading. 

PIPC chairman Koh Hak-soo stated: “I hope that this incident will serve as an opportunity for businesses that hold and process large amounts of personal information to recognise the related budget and human resources investment as a necessary investment rather than a simple expense. Furthermore, I hope that this will serve as an opportunity to elevate the role and importance of CPOs [chief privacy officers] and dedicated organisations in corporate management in the data economy era, thereby further strengthening the personal information protection system.”

As is the way with companies, SKT is now investing in state-of-the-art security systems and processes and it’s noticeable that its domestic rivals have also announced major security investment programmes. In mid July, KT pledged to invest more than 1 trillion won ($730m) over the next five years on its cybersecurity defences, while in late July LG Uplus issued a press release (in Korean) to say it would invest 700bn won ($504m) over the next five years in its “information security” systems as it unveiled its “security-first strategy” – clearly they do not want to suffer the same fate as SKT. 

- Ray Le Maistre, Editorial Director, TelecomTV