SK Telecom Fined Record 134.8 Billion KRW... Privacy Commission Cites "Negligence in Basic Security Measures"

The Personal Information Protection Commission has imposed a record fine of 134.8 billion KRW on SK Telecom for a personal information leak caused by a hacking incident in April. The commission considered several factors, including SK Telecom’s large revenue, the severity of its failure to fulfill security obligations, and the fact that these failures directly caused the leak.

Koh Haksoo, Chairman of the Personal Information Protection Commission, announced sanctions regarding the SK Telecom personal information leak incident on the 28th at the Government Seoul Office in Jongno-gu, Seoul. On the same day, the Personal Information Protection Commission imposed a fine of 134.791 billion won and a penalty of 9.6 million won. 2025.8.28 Photo by Cho Yongjun

View original image

On the 28th, the Personal Information Protection Commission announced that, at its plenary meeting held the previous day on the 27th, it imposed a fine of 134.791 billion KRW and a penalty of 9.6 million KRW on SK Telecom. This is the largest fine ever, surpassing the 100 billion KRW imposed on Google and Meta in 2022. Koh Haksoo, Chairperson of the commission, stated, "We hope this incident will make businesses that hold and process large amounts of personal information recognize that investing in related budgets and personnel is essential."

Through an intensive three-month investigation, the commission found that the personal information of 23,244,649 users of SK Telecom’s LTE and 5G services (including MVNO users) had been leaked. This included 25 types of information, such as mobile phone numbers, subscriber identification numbers (IMSI), and USIM authentication keys. The commission explained that the incident occurred due to "SK Telecom’s inadequate basic security measures and poor management," and that "the security environment between the internet and the internal network was managed in a way that left it extremely vulnerable to illegal intrusion by hackers."

The hacker first breached SK Telecom’s internal network in August 2021, installing malware on multiple servers. In June 2022, malware was also installed within the Integrated Customer Authentication System (ICAS). Then, in April of this year, the hacker leaked users’ personal information stored in the Home Subscriber Server (HSS) database to the outside.

It was confirmed that SK Telecom failed to prevent the incident even after detecting unauthorized access to the HSS server by the hacker in February 2022, as the company did not check for malware installation. The company also neglected basic security updates.

Regarding the record fine, a commission official explained, "The size of the leak and the long duration of the violations were taken into account."

Hot Picks Today

Up to 600 Million Won for Semiconductors, 160 Million Won Bonus for Loss-Making Non-Memory… Samsung Electronics Labor and Management Reach Tentative Deal on Unprecedented Performance Compensation (Comprehensive)

• "Could I Also Receive 370 Billion Won?"... No Limit on 'Stock Manipulation Whistleblower Rewards' Starting the 26th
• "From a 70 Million Won Loss to a 350 Million Won Profit with Samsung and SK hynix"... 'Stock Jackpot' Grandfather Gains Attention
• [Current State of Foreigner K-Finance]③"The Essence Is Ultimately Communication... Lending and Financial Education Must Go Hand-in-Hand"
• "Who Is Visiting Japan These Days?" The Once-Crowded Tourist Spots Empty Out... What's Happening?

The commission also ordered SK Telecom to thoroughly assess its personal information processing practices, strengthen security measures, and establish a governance system so that the Chief Privacy Officer (CPO) can oversee the company’s overall personal information management. SK Telecom stated, "We will review our response plan after receiving the official decision."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.