SK Telecom fined $97 mil. over April data breach

Personal Information Protection Committee Chairperson Ko Hak-soo, center, speaks during a press briefing on the committee's fines against SK Telecom at Government Complex Seoul, Thursday. Yonhap

The Personal Information Protection Committee (PIPC) on Thursday fined SK Telecom 134.8 billion won ($96.9 million) over a massive user data breach in April.

The penalty is the largest-ever fine imposed on a single company by the telecom regulator, surpassing the 69.2 billion won fine levied on Google in 2022 for collecting personal data without user consent.

During a press briefing, PIPC Chairperson Ko Hak-soo said it held a general meeting on Wednesday and reached the decision along with an administrative penalty of 9.6 million won.

He added that the committee also approved corrective measures to prevent further data breaches, including a full system inspection, stronger security measures and an overhaul of company-wide personal data governance.

A citizen walks past an SK Telecom store in Seoul, Wednesday, when the Personal Information Protection Committee held a meeting to decide on fines over the carrier’s April data breach. Yonhap

SK Telecom reported the data breach to the PIPC on April 22 after detecting a large volume of data being transmitted outside its network on April 18. Following months of investigation, it was confirmed that more than 23 million SK Telecom users’ phone numbers, international mobile subscriber identity and 23 other types of universal subscriber identity module (USIM) data were compromised in the cyberattack.

Last month, the government announced SK Telecom's liability for the incident, as the company neglected its duty to protect relevant data, and instructed it to exempt the early termination fees for users switching to other mobile carriers following the data breach.

The PIPC said the fines were imposed because SK Telecom neglected access control measures, failed to properly manage access rights, did not encrypt USIM authentication keys and delayed notifying users of the data breach.

The PIPC also ordered corrective measures requiring SK Telecom to strengthen safeguards in personal data processing across its services and to revamp governance structures so that a chief privacy officer (CPO) can oversee company-wide data management.

“We hope this incident serves as a reminder for companies that process large volumes of personal data to view the personal information protection budgets as an essential investment,” Ko said. “We also expect it will raise awareness of the role and importance of CPOs and dedicated privacy teams in corporate management.”

SK Telecom said in a statement that it “takes the decision with a deep sense of responsibility” and “will consider personal data protection as top priority in all operations, taking every measure to safeguard customer information.”

It remains uncertain whether the company will appeal the fines. It can file an administrative appeal or lawsuit within 90 days of receiving the written decision from the PIPC. Reportedly, the PIPC’s written decision will take one to three months to be delivered.

“It is regrettable that our customer protection measures and explanations were not reflected in the outcome,” SK Telecom said. “We will thoroughly review the written decision once it is delivered and then decide on our stance.”

Before Thursday’s decision, the market had various expectations about the size of the fine.

Under the Personal Information Protection Act, fines can reach up to 3 percent of a company’s revenue. Based on SK Telecom’s wireless business revenue of 12.77 trillion won last year, some industry officials expected the penalty could exceed 300 billion won.

On the other hand, others expected it to stay around 100 billion won, considering the company’s measures for victim relief and recurrence prevention.

In July, SK Telecom announced a 700 billion won information security plan and a 500 billion won customer protection plan, as well as deciding to exempt early termination fees.

With SK Telecom voicing complaints about the hefty fine, there are also complaints that the penalty was inconsistent with those imposed in other violation cases.

In Google’s 2022 case, the company used customer data for targeted advertising without consent for its own profit, but was fined only 69.2 billion won. Kakao was fined 15.1 billion won over its open chatroom data leak, while LG Uplus, which suffered a similar data breach, had to pay just 6.8 billion won as regulators applied different standards in calculating the penalties.

“The market had already anticipated various scenarios regarding the fine, but the actual amount turned out to be sizeable enough to raise concerns on the company's financial status," an industry official said.

"SK Telecom had already reflected related costs in its second- and third-quarter earnings, but with the finalization of the fine still pending, uncertainty over its profitability may continue.”