Home > National > Social Affairs

Gov't orders SKT to notify individual users whose data may have been breached

Published: 02 May. 2025, 13:44

A person stands in front of an SK Telecom retail store in Seoul on May 2 to replace his subscriber identity module (SIM) card free of charge. [YONHAP]

As customer complaints mount following a major hacking incident at SK Telecom, the government on Friday ordered the telecom giant to notify all users whose personal data may have been exposed and to provide immediate protection for vulnerable groups.

The Personal Information Protection Commission (PIPC) convened an emergency meeting at 8 a.m. Friday to review the breach and SK Telecom’s response. The commission found that while the company had reported signs of a USIM data leak to the authorities, it had not individually notified affected users of the breach.

Under the Personal Information Protection Act, companies must notify data subjects of the specific items of personal data leaked, the timing and cause of the leak, and measures taken to minimize damage and provide relief. They must also supply contact information for further inquiries.

SK Telecom had only posted a notice on its website suggesting that some customer information may have been leaked. Although the company did send a mass text message to all users after the incident, the message offered only a brief apology and basic information about its USIM protection service and replacement options. A PIPC official noted that the commission has since received a surge in complaints.

SK Telecom CEO Ryu Young-sang publicly apologized Thursday at a daily briefing held at the company’s headquarters in central Seoul. He bowed deeply, acknowledging the USIM hacking incident.

Ryu Young-sang, chief executive officer of SK Telecom, apologizes on May 2 at SK-T Tower in central Seoul. [NEWS1]

The commission also criticized the effectiveness of the company’s mitigation efforts. While SK Telecom offered USIM protection and SIM card replacements, it faced a shortage of materials and delays in processing requests. The commission further pointed out that the services are accessible only via mobile or in-person visits, creating barriers for older adults and people with disabilities.

“The company’s response has heightened public confusion and dissatisfaction, and it has failed to adequately protect vulnerable populations,” the commission said in a statement.

In response, the commission ordered SK Telecom to carry out three immediate measures.

First, the company must notify not only confirmed victims but all users potentially affected by the breach, including subscribers to budget carriers that operate on the SK Telecom network. These notifications must include all required legal details.

Second, the company must implement specific protective measures for vulnerable groups such as senior citizens and people with disabilities. Beyond current offerings, the company should provide additional options, including eSIM services and mobile carrier switching support, to prevent secondary harm.

Third, SK Telecom must expand and maintain a dedicated response team to manage the growing volume of customer complaints related to personal information.

The company must report the results of its implementation to the commission within seven days.

Travelers line up at Incheon International Airport on May 2 to replace their subscriber identity module (SIM) cards at SK Telecom Roaming Center before departure. [NEWS1]

“This action aims to minimize the damage from the breach, and to ensure individuals’ right to control and choose how their personal data is handled,” the commission said in a statement. “The government will continue monitoring enforcement to ease public concern and inconvenience.”

Meanwhile, the Ministry of Science and ICT on Thursday directed SK Telecom to suspend all new mobile service subscriptions at its 2,600 T World retail locations nationwide. The PIPC is also conducting a full-scale audit of SK Telecom’s personal data processing systems to determine whether it complied with data security requirements.

BY MOON HEE-CHUL [[email protected]]