South Korea hits SK Telecom with $97M fine over major data breach

South Korea fines SK Telecom record $97M

South Korea’s Personal Information Protection Commission fined SK Telecom 134.8 billion won, equal to about $97 million.

Officials said this was the largest penalty ever imposed under South Korea’s revised privacy law, after a data breach involving poor protection of personal information.

This is the largest fine ever imposed under South Korea’s revised Personal Information Protection Act, surpassing previous penalties imposed on companies like Google and Meta.

Hackers hid inside for nearly four years

Hackers broke into SK Telecom’s network in August 2021. They remained until April 2025, when investigators finally uncovered the attack. This meant criminals had almost four years of silent access to highly sensitive customer information.

The attackers installed malware on key servers. These programs gave them control of the Home Subscriber Server, which stores core subscriber information needed for mobile services.

Old security made hacking very easy

Regulators said SK Telecom left passwords and IDs stored in plain text. Millions of SIM keys were kept unencrypted. These weaknesses made it simple for hackers to steal information directly from databases.

The company also failed to separate internal networks from Internet systems. There were no firewalls in place for sensitive areas. Logs were not checked, which allowed strange activity to go unnoticed. Authorities called these failures “basic negligence.”

23 million users had their data exposed

Investigators confirmed 23 million customers were affected. This is almost half of South Korea’s population, showing how big the failure was. Leaked data included 25 different categories connected to SIM cards and subscriber accounts.

The stolen information included USIM authentication keys, IMSI numbers, IMEI device identifiers, phone numbers, emails, and even some birth dates. Experts said this could allow hackers to make fake SIM cards and track phone activity.

Company punished for reporting too late

According to the PIPA Enforcement Decree, Article 39, data leaks must be reported within 72 hours. SK Telecom waited longer before alerting both regulators and customers. This delay left users in danger without knowing their personal information had already been stolen.

Because of this, the company got an extra fine of 9.6 million won, about $7,000. While much smaller than the main fine, regulators said the penalty showed how seriously late reporting would be punished under national law.

Officials order strict new protections

The government told SK Telecom to make major changes. Rules included encrypting all sensitive data, putting firewalls between networks, and auditing system logs more often. Security duties must now be given to top executives with full authority.

The chief privacy officer will now have to oversee every personal data process, not just IT apps. Officials said strong governance was missing before, leaving critical telecom networks without enough leadership.

SK Telecom apologizes to its customers

After the fine, SK Telecom said it felt “heavy responsibility.” The company publicly apologized and promised to rebuild trust. It offered direct support and benefits to customers whose private information was part of the breach.

The company provided free SIM card swaps, discounts on August phone bills, extra data, and penalty-free contract cancellations. Officials said these steps were meant to show accountability and to reduce anger from millions of customers.

Company sets $500M security investment plan

In July 2025, SK Telecom promised to spend 700 billion won, about $500 million, over five years. The money will be used to strengthen systems, hire experts, and add oversight from board-level security professionals.

Plans include more frequent audits, stronger encryption, and new monitoring tools. The company said this was its largest cybersecurity project ever. Regulators warned that after years of neglect, the company must follow through with every promised change.

Shares crash after data breach revealed

When SK Telecom admitted the breach on April 18, 2025, its stock price fell 8.5% in a single day. That was the company’s sharpest drop since March 2020 during the COVID-19 market crisis.

Investors feared customer losses, lawsuits, and huge fines. Over 5.5 million people signed up for a new SIM protection service. More than 2,600 stores offered free SIM card replacements, but shortages left many waiting.

Investigation shows 9.82GB stolen data

A joint government probe discovered 28 servers infected with 33 malware types. Hackers extracted 9.82 gigabytes of stolen data over nearly four years. This included vast subscriber details needed to run South Korea’s largest mobile network.

The stolen files held 26.96 million IMSI records, IMEI device numbers, names, birth dates, phone numbers, and call logs. Officials said this was the biggest single theft in Korea’s telecom history and one of the largest worldwide.

Customers allowed to quit contracts early

Authorities ruled that SK Telecom broke its duty to provide a secure service. This meant contracts were no longer binding. Customers could cancel their phone plans without paying early termination fees or other penalties.

This rare step showed the scale of the failure. Regulators said people trusted SK Telecom with critical SIM card information. By failing to protect it, the company lost its right to hold users to long-term contracts.

Warnings ignored for three full years

In February 2022, SK Telecom noticed unusual network activity. But the team only checked one of six suspicious logs. The company failed to investigate fully or report the incident. This mistake allowed hackers to keep control.

Officials said this delay was one of the worst failures. Had logs been reviewed, the breach might have been stopped much earlier. Instead, hackers operated secretly for three more years, causing far more damage than necessary.

Leadership gaps left networks unprotected

Investigators said the chief information security officer only covered IT and apps, not telecom systems. This meant core networks were not managed by security leaders. Hackers took advantage of these leadership gaps to attack high-value systems.

The chief privacy officer also had limited oversight. Regulators said this showed SK Telecom treated cybersecurity as a low priority, not as a responsibility for top managers. That structure must now change under the new government orders.

Stealthy malware stayed hidden for years

Experts said hackers used advanced tools like BPFDoor and CrossC2. These are designed to avoid detection by normal security systems. Attackers also used stolen passwords to re-enter networks and stay inside without raising alarms.

By regularly updating the malware, hackers made sure security scans could not easily catch them. This allowed them to steal data slowly and carefully. By 2025, dozens of servers were deeply infected with persistent malicious code.

Stolen SIM data risked national security

The stolen USIM information could be used for SIM cloning. That means criminals could copy a customer’s phone card, read texts, make calls, or steal payment data. Lawmakers said this raised threats far beyond personal privacy.

Officials warned that if the stolen records were misused, attackers might rebuild call histories of top government officials. This could endanger state secrets and national security. The risk showed why telecom safety is considered part of national defense.

If this has you wondering just how serious recent breaches have been, you might want to check out the details on the May 2025 data breach that exposed 184 million login credentials across major platforms.

Case proves strong data safety is vital

Regulators said the SK Telecom case is a warning for every company. Protecting personal data is not optional but a legal duty. Privacy must be treated as a core business cost like energy or labor.

Officials added that breaches will now bring record-breaking fines. Encryption, governance, and fast reporting are required to keep trust. The SK Telecom fine stands as the largest ever in South Korea and a landmark for future data protection.

Curious how cybercriminals are pulling it off? Have a peek inside the details on how North Korean hackers lure Devs with fake challenges.

Do you think stricter laws will finally stop breaches like this? Share your thoughts in the comments; we’d love to hear them.

Read More From This Brand:

• SpyX Data Breach Exposes 2 Million Users
• Google plugs Gemini CLI flaw, risking silent breach
• US Student Pleads Guilty In Major Education Data Breach

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.