SKT to exempt early termination fees over customer data breach

SK Telecom CEO Ryu Young-sang bows during a press conference on the company's data breach at SKT Tower in Jung District, Seoul, Friday. Yonhap

SK Telecom (SKT) decided to exempt early termination fees for users who have switched to other mobile carriers following a massive customer data breach at the company in April.

SKT said Friday it will spend a total of 500 billion won ($366.78 million) on a compensation package for customers, which will include the fee waiver and a 50 percent discount on August mobile bills for all SKT users. It also promised to invest a total of 700 billion won over the next five years to improve its security.

The promise came hours after the government announced the results of its investigation into the data breach and instructed the telecom company to exempt the fees.

“All executives and employees of SK Telecom take the investigation team’s findings seriously and sincerely apologize once again to our customers and society for the data breach,” SK Telecom CEO Ryu Young-sang said at a press conference.

“We will take full responsibility and swiftly implement all corrective measures and preventive actions to ensure this does not happen again.”

During a press briefing on the results of the government's investigation into the data breach case, Second Vice Minister of Science and ICT Ryu Je-myung said SKT is liable for the incident, which is feared to have compromised the universal subscriber identity module (USIM) data of its 25 million customers, as the company neglected its duty to protect relevant data.

Based on the investigation team’s findings, the ministry said SKT should exempt early termination fees for users switching to other carriers. SKT’s terms and conditions state that early termination fees will be waived when the subscription contract is ended for reasons related to the company's responsibilities.

Second Vice Minister of Science and ICT Ryu Je-myung speaks during a press briefing on SK Telecom's data breach at the Government Complex Seoul, Friday. Yonhap

Before the government announcement, SKT had shown reluctance to exempt termination fees. In May, CEO Ryu told the National Assembly that with up to 2.5 million users expected to leave, the total cost could reach 250 billion won, given an early termination fee of 100,000 won per person.

During the government briefing, however, the vice minister said, “If SKT resists the government’s findings, we will issue a corrective order in accordance with the relevant legal procedures. If the company fails to comply, we will take further administrative action, including a license revocation.”

Following the government’s warning, Ryu said the company board had a meeting and decided to exempt the early termination fees.

SKT said it will exempt the fees for customers who switched or will switch to other carriers from April 19 to July 14. The early termination fee exemption will be offered in the form of refunds for previously paid fees upon application, which will begin on July 15.

Approximately 650,000 customers have switched to other carriers since the data breach was made public.

The promised spending is expected to affect the company’s earnings from the third quarter of this year. “We expect this will heavily impact our earnings,” Ryu said. “But restoring customer trust is more important, and we are prepared to accept short-term losses.”

SKT posted 4.45 trillion won in sales and 567.4 billion won in operating profit for the first quarter of this year. The company is expected to log 4.41 trillion won in sales and 515.3 billion won in operating profit in the second quarter, according to market tracker FnGuide.

Reflecting its spending plans, SKT posted a regulatory filing on Friday and lowered its sales guidance for this year from 17.8 trillion won to 17 trillion won, citing “the customer compensation package related to the cyberattack and market conditions.”

Citizens walk past an SK Telecom outlet in Seoul, June 24. Yonhap

SKT first detected signs of an unusually large volume of data being transmitted outside its network on April 18, but only reported the breach to the Korea Internet and Security Agency on April 20. This triggered nationwide turmoil, with users rushing to replace their USIM cards amid fears of their data being exploited for cybercrimes.

According to the ministry, the investigation team found that SKT servers were infected by 33 types of malware, including BPFDoor. During the cyberattack, which lasted from August 2021 to April 18 of this year, a total of 25 types of USIM-related data such as phone numbers and International Mobile Subscriber Identity (IMSI) numbers were leaked. The total volume of compromised data reached 9.82 gigabytes, with approximately 26.96 million IMSI records leaked.

The ministry said SKT made three major errors related to the source of the malware infection and its response to the breach: poor management of account credentials, inadequate handling of past security breach incidents and insufficient encryption of sensitive information.

According to the ministry, SKT stored account credentials from infected servers on other servers without encryption, and the attacker used these credentials for the hacking.

Also, the company discovered a malware-infected server in 2022 but failed to report it to the authorities. At that time, there were also signs of unauthorized login attempts on one of the servers that was later compromised in the April incident, but the company did not respond appropriately, the ministry said.

The ministry said SKT violated the law requiring it to report breaches to authorities within 24 hours of recognition, a violation subject to a fine of up to 30 million won. It also said it will refer the case to investigative authorities, as SKT submitted two servers in a condition that made forensic analysis impossible.