Korea Personal Information Commission threatens to impose huge fines on SKT in connection with hacking

The Korea Personal Information Protection Commission has announced that it will investigate the leak of USIM (a chip-type IC card that records subscriber contract information such as phone numbers) data from SK Telecom (SKT), a major Korean telecommunications company.
The scale of the fine is expected to be significantly larger than in past cases, as the information leak occurred from a core network device that stores basic personal information.
At a regular press conference held at the government complex in Seoul on the 29th, Choi Jang-hyuk, vice chairman of the Personal Information Protection Commission, said, "The fines imposed on SKT are expected to be quite high."
Under current law, sales that are not directly related are not subject to the calculation of surcharges, but he emphasized that "this case involved the hacking of the main server, and the scope of the surcharge is broader."
Referring to the case in which a 6.8 billion won fine was imposed on LG Uplus in 2023, Vice Chairman Choi commented that the present case is "different."
"Before the revision of the Personal Information Protection Act, only 3% of the related sales was imposed as a penalty. This was a case where the leak incident was inferred from personal information posted on the dark web, and it was difficult to identify the route of the leak."
As a result, SKT could be subject to a fine of up to 530 billion won (US$490 million). The revised Personal Information Protection Act allows fines of up to 3% of total sales.
SKT's sales for 2023 were 17.94 trillion won. Vice Chairman Choi said, "In preparation for last year's incident, we secured a budget for a forensic lab.
"We are currently building a lab," he said, indicating that the lab will be able to identify the routes of leaks and vulnerabilities in the system.
"We would like to complete the investigation as soon as possible and make the results public, separate from any final disposition," he said. Meanwhile, the Ministry of Science, ICT and Technology of South Korea announced on the same day that there had been no leak of IMEI numbers.
However, Vice Chairman Choi still stated that personal information had been leaked.
"We are investigating the information contained within as personal information," the company said, adding, "We cannot say for sure that it does not contain confidential information such as names or resident registration numbers."
He also pointed out that the hacking of the main server of South Korea's largest telecommunications company is extremely symbolic.
"We believe there is a strong possibility that this may have happened and are continuing our investigations."