South Korea’s Privacy Regulator Hits SK Telecom with $99.9 Million Sanction over Massive Data Breach

Key Takeaways

• Record Penalty: SKT was fined $99.9 million (KRW 134.8 billion), one of the largest privacy sanctions in South Korea’s history.
• Massive Breach: Personal data of approximately 23.24 million subscribers, including USIM keys and IMSI identifiers, was compromised.
• Systemic Failures: Investigators cited unencrypted storage of sensitive keys, weak access controls, and neglected security patches as major lapses.
• Governance Gaps: SKT’s CPO had limited oversight, leaving critical communications infrastructure vulnerable, and breach notifications were delayed beyond the 72-hour requirement.

Deep Dive

South Korea’s Personal Information Protection Commission (PIPC) has imposed one of the country’s largest-ever privacy penalties on SK Telecom (SKT), ordering the mobile carrier to pay $99.9 million (KRW 134.8 billion) after a series of failures that exposed the personal information of more than 23 million subscribers.

At its 17th plenary meeting on August 27, 2025, the PIPC found that SKT violated multiple provisions of the Personal Information Protection Act (PIPA), including insufficient safeguards, poor governance oversight, and delayed breach notification. The sanctions include a penalty of $99.9 million (KRW 134.79 billion), a fine of $67,000 (KRW 91 million), and an additional $7,100 (KRW 9.6 million) for late notification.

The breach, first detected in April 2025, compromised twenty-five categories of subscriber data, including phone numbers, USIM authentication keys, and international mobile subscriber identities (IMSI). In total, data belonging to approximately 23.24 million subscribers, including those of budget carriers, was compromised.

Investigations by a joint task force from the PIPC and the Korea Internet & Security Agency (KISA) revealed that hackers had infiltrated SKT systems as early as August 2021, installing malware across critical networks. A more severe attack in April 2025 targeted SKT’s Home Subscriber Server, resulting in the extraction of 9.82 gigabytes of subscriber information.

Findings of Negligence

The PIPC found SKT’s networks to be “complacent” and dangerously vulnerable. Investigators cited failures to isolate internal and internet-facing systems, insufficient access controls, and the storage of subscriber login credentials across more than 2,300 servers without proper safeguards.

Perhaps most alarming, the company stored 26 million instances of USIM authentication keys (Ki) in plaintext without encryption, despite knowing other carriers had already adopted encryption measures. Hackers exploited these gaps to steal credentials, plant malware, and siphon sensitive data.

The commission also highlighted that SKT ignored known vulnerabilities, including the DirtyCOW flaw that had been publicly disclosed in 2016, and neglected to install basic security updates and antivirus protections.

Beyond technical failures, governance shortcomings played a role. The company’s Chief Privacy Officer (CPO) had responsibility limited largely to IT applications, leaving mobile communications infrastructure out of oversight. SKT also delayed notifying regulators and customers—while outbound data transfers were detected on April 19, 2025, subscribers were not informed until May 9, with full disclosure only arriving on July 28.

Sanctions and Broader Measures

Along with financial penalties, the PIPC ordered SKT to overhaul its governance and data protection systems, strengthen safeguards, and expand its ISMS-P certification across more of its network infrastructure.

The commission emphasized that the ruling serves as a critical precedent. Chairperson Haksoo Ko stated, “Taking this opportunity, large-scale personal data processors should invest in personnel and allocate more budgets for data protection and privacy by bringing in a shift in their perspectives that it is not just an expenditure, but an investment required for their operations.”

He added that Chief Privacy Officers must play a central role in preventing similar incidents, underscoring the importance of treating data protection as a core business priority in the digital economy.

The PIPC also plans to publish new “Comprehensive Measures for Robust Personal Information Security Management Systems” in September 2025, aimed at strengthening oversight and compelling businesses handling vast amounts of data to invest more heavily in privacy and security frameworks.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.