The fine stems from a breach that came to light in April, when SK Telecom admitted that hackers had stolen the universal subscriber identity module (USIM) data of nearly 27 million customers
South Korea’s largest mobile carrier, SK Telecom, has been hit with a record-breaking USD 97 million fine after a government investigation found the company left its network vulnerable to a massive data breach. The penalty was imposed by the Personal Information Protection Commission (PIPC), which concluded that the telecom giant had failed to implement even basic security measures, exposing the data of millions of subscribers.
The fine stems from a breach that came to light in April, when SK Telecom admitted that hackers had stolen the universal subscriber identity module (USIM) data of nearly 27 million customers. The PIPC’s subsequent probe found that the actual number of affected subscribers was closer to 23 million—a staggering 45 percent of the country’s population.
“Catalog of Bungles”
The regulator’s report painted a damning picture of SK Telecom’s security practices, or lack thereof. According to the PIPC, the company failed at almost every level of defense:
Lack of Access Controls: Administrators had failed to segment the company’s internet-facing systems from its internal management network. This oversight allowed attackers to easily infiltrate core systems and begin mapping out the network’s infrastructure.
Ignored Red Flags: SK Telecom reportedly failed to check logs from its intrusion detection systems, allowing anomalous and suspicious behaviour to go unnoticed as the hackers moved through the network.
Plaintext Credentials: In one of the most serious findings, the PIPC discovered that thousands of server credentials—including usernames and passwords for critical databases—were stored in plaintext on a management server without any form of password protection.
Unencrypted Data: The report also highlighted a fundamental failure in data protection, revealing that more than 26 million USIM authentication keys were left unencrypted in the company’s databases. These keys are used to provision mobile services and verify subscribers, and their theft could lead to large-scale identity fraud or cloned mobile devices.
The PIPC’s findings suggest that, armed with these harvested credentials, the intruders were able to directly query SK Telecom’s core databases, silently exfiltrating subscriber information. The fine serves as a stark warning to corporations about the critical importance of robust cybersecurity, particularly as data privacy becomes a central issue for regulators and consumers alike.
