SK Telecom was hit with a record $97.2 million (KRW 134.8 billion) data breach fine for failing to stop the April 2025 cyber attack that leaked the sensitive SIM-related information of 23.2 million people.
The operator must also pay a $7,000 (KRW 9.6 million) administrative fine for failing to report the data breach within 72 hours.
The incident had leaked phone numbers, subscriber identification numbers (IMSI), and SIM authentication keys of 5G and LTE subscribers, exposing them to various cyber risks, including USIM cloning.
When imposing the fine, South Korea’s Personal Information Protection Commission (PIPC) said the telecom giant was plagued with “basic security failures and poor management,” which resulted in one of the country’s largest data breaches.
Investigation found failure to implement basic security measures
The SKT data breach fine followed a 3-month intensive investigation by the PIPC and the Korea Internet and Security Agency (KISA) into the cyber incident and the telecom operator’s response.
The investigation found that SKT had failed to implement basic security measures, such as restricting its management and internal networks from external access.
“SKT had linked its internet, management and internal networks on the same system without restricting external access to its internal management servers,” the PIPC said.
PIPC also alleged that SK Telecom had failed to encrypt 26.1 million SIM authentication keys, leaving them vulnerable to exploitation when exposed.
Additionally, the telecom operator had allegedly ignored intrusion detection logs and failed to apply security patches, including for a 2016 known and exploited vulnerability. Its chief privacy officer (CPO) was also relegated to dealing with mundane IT issues, leaving its infrastructure without oversight.
SK Telecom is reviewing the data breach fine
On its part, SKT accepted “heavy responsibility” for failing to prevent the incident. However, it criticized the data breach fine for failing to consider its incident response and remediation efforts. Therefore, SKT warned that it would review the ruling to determine its next course of action.
Following the breach, SKT offered affected customers free SIM card replacements and other rewards like free data and a generous reduction in various charges. For instance, the company waived early termination fees (ETFs) for customers who canceled their contracts.
In addition, it launched the Accountability and Commitment Programme to address its shortcomings and prevent a future data breach.
However, the PIPC stated that its action was not intended to sanction a single company, but rather to “reaffirm the importance of personal information protection” nationwide.
“In particular, the government’s stern response to the public’s anxiety and harm caused by companies failing to fulfil their responsibility to protect users’ personal information is expected to serve as a wake-up call for other companies to strengthen their personal information management systems and implement preventative protection measures,” it said.
Meanwhile, SK Telecom is hardly the first tech giant to attract a punitive data breach fine in South Korea for failing to protect its customers’ privacy. In September 2022, Google was hit with a $50 million (KRW 69.2 billion) data breach fine for privacy violations.
In the same month, the privacy regulator fined Meta approximately $22 million (KRW 30.8 billion) for collecting user data for ad targeting without consent. Kakao was also slapped with a $10.8 million (KRW 15.1 billion) data breach fine, while LG Uplus was ordered to pay $4.9 million (KRW 6.8 billion) in response to a data breach.
However, the SK Telecom data breach fine is the largest imposed so far on a single company for allegedly failing to protect its customers’ privacy.
Besides imposing punitive data breach fines, PIPC also announced strategies to enhance data protection for large processors.
