South Korea's privacy regulator has imposed a record fine of 1.3479 trillion won (approx. $980 million USD) on SK Telecom following a catastrophic data breach that compromised sensitive mobile subscriber information for over 23 million users, including unencrypted USIM credentials.
The Personal Information Protection Commission (PIPC) cited severe violations of the country's data protection laws in its announcement. In addition to the fine, a separate administrative penalty of 9.6 million won (~$7,000 USD) was levied for failing to promptly notify affected users.
The breach, which began in August 2021 but went undetected until April 2025, was investigated through a joint task force led by the PIPC and the Korea Internet & Security Agency (KISA). The task force determined that attackers had infiltrated SK Telecom's internal systems and exfiltrated 9.82 GB of sensitive data from its Home Subscriber Server (HSS) database, core infrastructure used for authenticating mobile devices on LTE and 5G networks.
SK Telecom, the largest mobile carrier in South Korea with over 29 million subscribers, is a key pillar in the nation's digital infrastructure. It provides high-speed 5G and LTE services, IoT connectivity, and operates under the SK Group umbrella, one of the country's largest conglomerates. This breach, affecting approximately 23.24 million unique users, includes critical data such as mobile numbers, IMSI identifiers, and most alarmingly, unencrypted USIM authentication keys (Ki and OPc), which are essential for validating devices on mobile networks.
According to the investigation, the attackers initially penetrated SK Telecom's internal network in August 2021 and installed backdoors across multiple Linux servers. The malware, including variants of the stealthy BPFdoor, allowed persistent access for years. In June 2022, the attackers compromised SKT's Integrated Customer Authentication System (ICAS) to expand their control, ultimately culminating in the exfiltration of user data from the HSS system in April 2025.
The breach was enabled by a series of fundamental security failures:
- Internet and internal management networks were improperly segmented, allowing attackers to pivot laterally.
- Access control was lax; critical server credentials were stored unencrypted on internal systems, and the HSS database could be queried without authentication.
- SKT continued to use outdated operating systems vulnerable to the Dirty COW exploit (CVE-2016-5195), despite public patches having been available since 2016.
- Most notably, SKT stored over 26 million USIM authentication keys in plaintext, unlike peers LG U+ and KT, which have encrypted such data since 2011 and 2014, respectively.
The PIPC also criticized SK Telecom for delays in notifying affected users. Although the company detected the data transfer on April 19, 2025, it did not send formal breach notices until July 28, well beyond the 72-hour legal deadline. The regulator deemed this delay as having exacerbated public uncertainty and weakened potential defensive actions by users.
SK Telecom now faces strict corrective orders, including a mandatory overhaul of its internal governance structure to empower its Chief Privacy Officer (CPO) with authority over not just IT services like T World, but also its telecom infrastructure. The company is also required to obtain ISMS-P (Information Security Management System – Personal Information) certification for its core telecom systems within three months.
Leave a Reply