"SKT Security, Frustratingly Lax"... Fine of 134.8 Billion Won 'Largest Ever'

[Financial News] A massive USIM information leak incident occurred at SK Telecom (SKT), resulting in a record fine of 134.791 billion won. When adding a penalty of 9.1 million won, it amounts to 134.8 billion won.
Haksoo Ko, Chairman of the Personal Information Protection Commission, stated at a briefing on the decision of sanctions for the SKT personal information leak incident held at the Government Complex Seoul on the 28th, "It was confirmed that SKT violated multiple safety measures obligations, leading to the leak of major digital personal information of over 23 million customers, such as phone numbers, subscriber identification numbers (IMSI), and USIM authentication keys."
The Personal Information Commission judged the severity of SKT's leak incident as 'very serious', the highest level. The leak scale is extensive, and SKT's personal information security system was excessively lax and poorly managed, according to the commission's judgment.
The investigation revealed that due to hacking of multiple systems playing a core role in SKT's mobile communication services, key information such as phone numbers, subscriber identification numbers (IMSI), and USIM authentication keys (Ki, OPc) of 23,244,649 users (including MVNOs, duplicates removed) were leaked. The leaked information amounts to 25 types.
Chairman Ko stated, "SKT's management and supervision of personal information protection was overall very lax for quite a long time," adding, "(The security state was) in a very vulnerable state, and despite having enough time to take measures, they continuously missed it, which frustrated the investigation committee."
He further noted, "USIM information is a crucial gateway for communication between individuals and society in daily life, possessing a very significant nature," and "The committee shared a common awareness of the problem that the nation's top telecom company, used by half of the population, poorly managed such information."
Regarding the calculation of the fine, Chairman Ko explained, "The nature of the leaked information (USIM) is also important, and the leak of information of over 23 million users is very serious," adding, "Especially, SKT has been exposed to a vulnerable state over the past few years. The vulnerable points were not just one or two but very extensive. Considering these, the conclusion was reached as very serious."
According to the Personal Information Commission, hackers initially infiltrated SKT's internal network in August 2021 and installed malicious programs on multiple servers. In June 2022, they installed malicious programs within ICAS (Integrated Customer Authentication System) to secure additional footholds, and on April 18, they stole 9.82GB of user personal information stored in the HSS (Home Subscriber Server) DB.
The issue is that SKT managed and operated the security operating environment between the internet and the internal network in a very vulnerable state to illegal intrusions by hackers, without even basic access control. Access to internal management network servers was allowed without restriction, and intrusion detection management or basic security updates were not properly functioning.
However, considering that SKT corrected the violations related to the leak incident, made efforts to recover user damages, and presented efforts for personal information protection, some mitigation was applied.
With the imposition of the fine by the Personal Information Commission, the suspended dispute mediation procedure will also resume. Chairman Ko stated, "There are currently three cases of collective dispute mediation by subscribers, involving about 2,000 users," adding, "Separately, more than 600 individual cases have been filed. The number of applicants may increase." He continued, "Since the disposition has been made, the temporarily suspended dispute mediation procedure will resume."


yjjoe@fnnews.com Yoonju Cho Reporter