The Personal Information Protection Commission (hereinafter referred to as the Personal Information Protection Commission) announced on the 28th that it imposed a penalty surcharge of 134.791 billion won and fines of 9.6 million won on SK Telecom (hereinafter referred to as SKT) for violations of the Personal Information Protection Act during the 18th plenary session held on the 27th and decided on corrective measures to prevent recurrence.
This marks the largest penalty surcharge ever imposed by the Personal Information Protection Commission on domestic corporations, surpassing the total of 100 billion won imposed on Google (69.2 billion won) and Meta (30.8 billion won) in 2022. Even considering only the personal information leakage incidents, this figure significantly exceeds the 15.1 billion won imposed in the KakaoTalk open chat room leak incident last year.
This incident is a serious accident where the personal information of more than 23 million citizens was leaked due to negligence in managing SKT's core mobile communication network and systems. The Personal Information Protection Commission immediately established a concentrated investigation task force composed of researchers, lawyers, and accountants in collaboration with the Korea Internet & Security Agency (KISA) after SKT recognized the abnormal external data transmission and reported the leak on April 22.
The investigation confirmed that a total of 25 types of personal information, including the phone number subscriber identification number (IMSI) and SIM authentication key (Ki OPc) for 23,244,649 LTE and 5G subscribers (including resellers and excluding duplicates), were leaked due to hacking. With mobile phones being a key means of identity verification, the large-scale leakage of SIM authentication keys has significantly spread social anxiety and reduced trust. In particular, SKT stored 26,144,363 SIM authentication keys in plain text without encryption, allowing hackers to obtain the originals, revealing a serious security flaw that could lead to SIM duplication.
The circumstances surrounding the leak have also been clarified. The hacker first infiltrated SKT's management network server in August 2021, installed remote control programs, and stole the ID and password of at least 4,899 servers, using a file where account information was stored in plain text. Subsequently, using the already patched DirtyCow vulnerability from 2016, they gained administrative privileges on the core network server and installed malicious software BPFDoor on the home subscriber server (HSS). In June 2022, they further infected two integrated customer authentication system (ICAS) servers, expanding their base, and on April 18, 2025, they eventually compressed and leaked 9.82 GB of personal information from the HSS database. During the investigation, multiple violations of basic protective obligations, such as insufficient firewall settings, unnecessary interconnections between servers, unverified intrusion detection logs, failure to perform operating system security updates, and lack of commercial antivirus installation and access record retention, were confirmed.
The shortcomings in the management system were also revealed. SKT has limited the role of the Chief Privacy Officer (CPO) to IT areas such as the web and apps, while effectively leaving the management of the mobile communication network and infrastructure vacant. As a result, despite the large-scale leakage, the CPO was unable to grasp the actual situation of personal information processing, and overall management oversight did not function. Furthermore, despite confirming on April 19 that the HSS data had been transmitted externally, SKT did not notify the victims within 72 hours. Violating the legal deadline, notifications were delayed until May 9 with 'possibility of leakage' and July 28 with 'confirmation of leakage,' which heightened social confusion and distrust.
In response, the Personal Information Protection Commission imposed a penalty surcharge of 134.791 billion won and fines of 9.6 million won on SKT and ordered that ▲ the authority and roles of the CPO be strengthened throughout the organization to oversee all personal information processing tasks ▲ thorough management and supervision of entrusted companies be implemented ▲ the scope of ISMS-P certification be expanded from the existing customer management system to the entire mobile communication network and core systems. Additionally, they were ordered to establish and report preventive measures within three months.
SK Telecom stated, "We take this result with a heavy sense of responsibility and will make every effort to make personal information protection a core value in all management activities and to strengthen customer information protection," but added, "We regret that our measures and positions were not sufficiently reflected in the result, despite being fully clarified during the investigation and deliberation process, and we plan to closely review the contents upon receipt of the resolution and determine our position."
Meanwhile, the Personal Information Protection Commission plans to announce a comprehensive plan to strengthen the personal information management system, including enhancing security investments for large-scale personal information processors and revising incentives, in early September as a result of this incident.
Chairperson Ko Hak-su of the Personal Information Protection Commission stated, "This incident should prompt corporations that handle large amounts of personal information to recognize their related budgets and personnel not merely as expenses but as essential investments," and added, "I hope this will elevate the status and role of personal information protection officers, raising the overall level of personal information protection in corporate management."