Gov’t calls for KT to waive early termination fees

Press release on the investigation results of unauthorized mobile payment fraud cases among KT users is displayed as Second Vice Minister of Science and ICT Ryu Je-myung, center, speaks during a press briefing at Government Complex in Jongno District, Seoul, Monday. Yonhap

A government investigation team said Monday that telecom operator KT is responsible for mishandling its femtocell mini cellular stations, which became the main loophole exploited in a series of unauthorized mobile payment fraud cases earlier this year, and urged the company to waive early termination fees for all of its customers.

Femtocells are small, low-power cellular base stations typically used in homes or small businesses.

The team, led by the Ministry of Science and ICT, said at a press briefing that the breach stemmed from KT’s negligence in managing femtocells, which constituted a violation of its contractual obligation to provide safe communication services to all users.

“The ministry found that KT’s negligence in managing its femtocells and the resulting risk of data breaches was not limited to the victims of the payment fraud, but exposed all KT users to potential threats,” the ministry said. “KT failed to fulfill its obligation by not employing appropriate protective measures to prevent such incidents.”

The payment fraud took place from late August to early September, with 368 KT customers swindled out of a total of 243 million won ($167,000) in unauthorized mobile payments, while 22,227 customers’ phone numbers and mobile identity data were breached.

Police arrested two Chinese nationals in their 40s as suspects. Officers found that one of them carried illegal femtocells in a van and moved around to intercept SMS authentication calls and messages, while the other was responsible for converting the proceeds into cash. It was the first such crime reported in Korea.

The investigation team confirmed that KT’s femtocell management system was negligent, allowing illegal femtocells to easily access its network.

The KT logo is displayed at a store in Seoul, Sept. 10. Newsis

The team found that all KT femtocells were using the same manufacturer-issued certificate. Once this certificate was copied, unauthorized femtocells could obtain a KT certificate from the company’s internal authentication server and connect to its network. The team also noted that KT certificates were valid for 10 years, meaning that any femtocell that had connected to the KT network even once could continue to access the network.

Monday’s announcement is effectively a binding order. Recently, the National Assembly Research Service interpreted relevant laws as allowing the Ministry of Science and ICT to demand that KT waive early termination fees for all of its subscribers, and noted that the ministry can suspend KT’s operations if the company refuses to comply.

KT said in a statement that it is “taking the findings of the investigation with grave seriousness” and “will promptly announce plans for customer compensation and cybersecurity reforms once they are finalized.”

If KT accepts the government’s findings and exempts termination fees, that could trigger subscribers to switch carriers. Earlier this year, the country’s largest carrier, SK Telecom, decided to waive early termination fees following a separate data breach, causing its market share to fall to 38.8 percent; it has yet to recover to the 40 percent level.

Regarding a separate data breach case at LG Uplus in July, the ministry said the No. 3 mobile carrier had filed false documents and discarded affected servers, rendering any investigation impossible.

The ministry said it has asked the police to investigate LG Uplus on suspicions of obstructing official duties, as its reinstallation or discarding of server operating systems took place after the Korea Internet & Security Agency notified the company of the breach in July.