SK Telecom Fined, Slammed by Regulator Over Data Breach
South Korea's data protection regulator, the Personal Information Protection Commission (PIPC), has handed down a record fine of 134.8 billion Korean won ($97.2 million) to SK Telecom (SKT) and issued a scathing report on the telco's failings that led to a major cyber incident and data breach. The fine, which also includes an administrative penalty of 9.6 million won ($7,000), is a drop in the ocean for SK Telecom, considering the operator recently reported second-quarter revenues of 4.34 trillion won ($3.12 billion).
The PIPC's report details how SKT failed to implement basic security measures, including insufficient firewall settings and poor management of server account information. The regulator also noted that the telco neglected to detect and respond to illegal data breach attempts, allowing hackers to access sensitive user data.
How Did It Happen?
The PIPC's investigation revealed that hackers first infiltrated SKT's internal network in August 2021 and installed malicious programs on multiple servers. They later leaked users' personal information stored in SKT's HSS (home subscriber server) database on April 18, 2025.
According to the report, SKT's failure to adhere to basic security measures was compounded by management laxity. The regulator noted that SKT operated its internet, management, core, and internal networks as a single network, allowing unrestricted access to its internal management server from the internet (domestic and international). This allowed hackers to access the HSS database and transmit SIM card information to external sources.
The investigation also found that SKT's chief privacy officer (CPO) played a limited role in managing personal information processing. The CPO was not aware of the actual status of personal information processing, and the infrastructure area where the leak occurred was not effectively managed or supervised by the CPO.
Consequences for SK Telecom
The data breach has had severe consequences for SKT. The operator lost more than 800,000 mobile customers to its domestic rivals in just a few months after the incident was reported. SKT's remaining customers will likely be discouraged by the PIPC's findings and may consider switching to a rival mobile operator.
Additionally, SKT has been forced to cancel any contract termination fees until the end of this year for customers that decide to jump ship. This move is likely aimed at encouraging customers to remain loyal to the operator despite the data breach.
A Warning to Businesses
The PIPC chairman, Koh Hak-soo, stated that the incident serves as an opportunity for businesses to recognize the importance of investing in cybersecurity measures and personnel. He also emphasized the need to strengthen the role and importance of CPOs and dedicated organizations in corporate management.
Competition Heats Up
SKT's rivals, KT and LG Uplus, have announced major security investment programs in response to the data breach. KT pledged to invest more than 1 trillion won ($730 million) over the next five years on its cybersecurity defences, while LG Uplus vowed to invest 700 billion won ($504 million) over the same period.
This development is likely to raise eyebrows among industry observers and customers alike. As one expert noted, "It's clear that SKT does not want to suffer the same fate as it did in this recent data breach incident."