Home > Business > Tech

Personal info watchdog hints at massive fine for SKT over hack

Published: 29 Apr. 2025, 21:28

SK Telecom headquarters in central Seoul on April 22 [YONHAP]

As consumer frustration grows over SK Telecom’s hacking incident, a government official suggested a heavy fine could be imposed and raised the likelihood that personal data was leaked from the company’s main servers.

“We believe there was a leak from SK Telecom’s main server,” said Choi Jang-hyuk, vice chairperson of the Personal Information Protection Commission (PIPC), during a regular briefing at the Seoul Government Complex on Tuesday.

His comment directly contradicts the mobile carrier's earlier claim that “there was no hacking of the main server.”

“I don’t know why SK Telecom denied [the leak from the main server], but it seems correct to say that there was a leak,” Choi said.

The PIPC launched an investigation immediately after receiving SK Telecom’s breach report on April 22. It has since mobilized a task force consisting of in-house lawyers, investigators and external experts.

However, as the investigation is still in its early stages, specifics regarding the leak and the type of information compromised have yet to be determined.

Choi Jang-hyuk, vice chairperson of the Personal Information Protection Commission (PIPC), briefs reporters at the Seoul Government Complex on Tuesday. [YONHAP]

“It’s difficult at this point to definitively say that consumers’ registration numbers were among the leaked data," Choi said.

SK Telecom is Korea’s largest mobile carrier with about 23 million subscribers, meaning the potential scale of the fine could be significant.

“This is symbolically very serious, given that the main server of Korea’s No. 1 telecommunications company was hacked,” Choi said. “Under current law, fines are usually calculated excluding unrelated revenue, but because this involved the main server, the scope for imposing the fine will be broader.”

He pointed to the precedent of LG U+, which was fined 6.8 billion won ($4.7 million) in 2023, and noted, “Back then, only 3 percent of related revenue was fined under the old law. But [SK Telecom’s case] is on a different level.”

Given that the Personal Information Protection Act allows a fine of up to 3 percent of total annual revenue, some estimate SK Telecom could face a fine of up to 530 billion won. SK Telecom’s revenue last year was 17.94 trillion won.

SK Telecom subscribers line up at a dealership in Seoul to replace their SIM cards on April 29. [YONHAP]

Choi added, “It does seem that safety measures were lacking somewhat, but we need to fully investigate. We are focusing on the scale of personal data contained in the hacked USIM cards and whether appropriate safety measures were in place at the server storing those USIMs.”

Earlier the same day, the Ministry of Science and ICT announced that the hacked data did not include the unique device identifiers such as IMEI and IMSI. The PIPC, however, expressed a different view.

“We are treating information stored in USIM chips, including the IMEI and IMSI numbers, as personal information in this investigation,” Choi said. “It’s difficult to definitively say that sensitive information like names and registration numbers was not involved."

He also criticized a general corporate lack of investment in protecting personal data, saying, “Even major conglomerates have barely increased their budgets or staff for personal information protection. Now is a critical time for more investment and stronger personnel reinforcement.”

Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY MOON HEE-CHUL [[email protected]]