Personal Information Protection Commission investigates SKT data leak... 238 items of customer data may have been illegally accessed (South Korea)

On the 19th, the Korea Personal Information Protection Commission (KPC) announced that it had taken measures to investigate the personal information leak incident that occurred at SK Telecom (SKT), mainly through a concentrated investigation task force (TF) established on the 22nd of last month.
The committee announced that it is conducting an investigation based on the Personal Information Protection Act. The committee will investigate the leak of subscribers' mobile phone numbers, IMEI numbers, SIM card authentication keys, and other SIM information.
In response to this, on the 2nd, based on an emergency committee decision, the company decided to notify all data subjects whose data had been leaked or was at risk of being leaked, and to take measures to prevent damage.
The investigation is based on Article 63 of the Personal Information Protection Act, and the focus is on identifying the scope of personal information leaked and the scale of damage, and whether SKT has complied with its security management obligations under the Personal Information Protection Act.
The investigation will be conducted to verify whether SKT properly fulfilled its duties (including technical and administrative measures). The PIPC will separately obtain relevant materials necessary for the investigation from SKT and conduct an independent investigation in accordance with the Personal Information Protection Act.
In its investigation so far, the committee has found that a total of 18 servers, including two servers for SKT's customer management system, the Integrated Customer Account System (ICAS), were found to be vulnerable to malicious code.
ICAS provides APIs for the company's online service "T World" and its partner companies to inquire about subscribers' contract status, personal information, and contract plans.
These servers contain a total of 238 items (KARAM) including important personal information of customers, such as name, date of birth, phone number, email address, address, IMEI, and Inter-Mobile Subscriber Identity (IMSI).
Considering that the first malicious code infection took place over a long period of time, in June 2022, the government plans to conduct a detailed investigation into the infection route and the details of the information leak.
The committee emphasized that "this is a large-scale incident of personal information leaks, and we will conduct a thorough investigation and make every effort to implement measures to prevent recurrence."
In addition, the ministry will call attention to phishing scams and scams using SMS (smishing), and will encourage people to take precautions against unauthorized distribution of information that may have been leaked, such as using the Internet and dark web.
"We will maintain our current emergency response system for the time being, including strengthening surveillance of the airport."