SK Telecom, which suffered a hacking attack, received a penalty surcharge of over 130 billion won from the Personal Information Protection Commission. Despite having voluntarily reported the incident after recognizing the damage, this is the largest penalty surcharge imposed since the commission was established in 2011. Concerns are growing that the imposition of a record penalty surcharge without reduction will create a bad precedent, leading corporations to conceal hacking incidents in the future.
◇ After voluntarily reporting, SK Telecom hit with penalty surcharge… concerns grow over needing to hide hacking damage
On the 28th, the Personal Information Protection Commission imposed a penalty surcharge of 134.79 billion won on SK Telecom, which experienced a hacking incident. The commission held SK Telecom responsible for leaking 25 types of personal information, including the subscriber identification number (IMSI), phone number, and SIM authentication key.
As SK Telecom, which spent nearly 1 trillion won on voluntary reporting and follow-up measures related to the hacking damage, faced the largest penalty surcharge ever, concerns are spreading that corporations will respond by not immediately reporting hacking incidents to the government and attempting to hide the damage as much as possible.
To prevent this, developed countries like the UK and the US specify quick voluntary reporting and follow-up actions as reasons for penalty surcharge reductions. In the UK, the General Data Protection Regulation (GDPR) states that if a hacking incident is promptly reported and appropriate follow-up actions are taken, the penalty surcharge can be reduced by up to 90%. In 2018, British Airways was warned of a penalty surcharge of 344.6 billion won due to a data leak affecting 430,000 customers, but it only paid a reduced penalty surcharge of 37.5 billion won, recognizing its quick voluntary reporting and appropriate follow-up actions. The US has included in the upcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which is set to take effect in October, that corporations will be exempt from certain legal responsibilities if they report cyber breaches within 72 hours.
In contrast, Korea lacks provisions for penalty surcharge reductions for voluntary reports and only has regulations that penalize late voluntary reports. According to current law, personal information leak reports (Article 34 of the Personal Information Protection Act) must be made to the Personal Information Protection Commission within 72 hours of recognition. Fines will be imposed for non-reporting. SK Telecom completed its report on the personal information leak to the commission just 41 hours after recognizing the hacking incident.
Jang Hang-bae, a professor in the Department of Industrial Security at Chung-Ang University, noted, "There is a concern that the SK Telecom penalty surcharge case could set a wrong precedent that results in disadvantages for voluntary reporting. Systemic improvements, such as providing penalty surcharge reductions for voluntary reporting like overseas, are necessary."
◇ Only SK Telecom faces penalty surcharge bomb for voluntary reporting… KT and LG Uplus receive light penalties
There are also criticisms that the penalty surcharge imposed on SK Telecom is not equitable compared to the penalties faced by KT and LG Uplus, which have experienced customer data leaks due to hacking in the past.
In 2023, LG Uplus faced a penalty surcharge of 6.8 billion won for leaking the personal information of over 300,000 customers. KT, which had customer data leaks three times in 2012, 2014, and 2016, received a penalty surcharge only once from the Personal Information Protection Commission. In 2021, the commission imposed a penalty surcharge of 5 million won on KT for its 2014 data leak incident. According to the telecommunications industry, KT was informed of the customer data leak by the police at the time, while LG Uplus was notified by the Korea Internet & Security Agency (KISA). In contrast, it has been pointed out that imposing a penalty surcharge of over 130 billion won on SK Telecom, which independently recognized the hacking damage and voluntarily reported it, raises issues of equity.
◇ The amount of the penalty surcharge is six times higher than that of American telecom companies, causing controversy
There has never been a case where a single company has been imposed a penalty surcharge in the range of 100 billion won or more due to personal information leaks outside of Korea. The penalty surcharge imposed on T-Mobile in the US, which experienced a data leak affecting 54 million customers in 2021, was only 21.6 billion won. At that time, AT&T also faced a penalty surcharge of only 17.8 billion won. A source in the telecommunications industry stated, "Even compared to American mobile carriers that faced similar incidents to SK Telecom, the penalty surcharge imposed is more than six times higher."
Even in Korea, the penalty surcharges imposed on Google and Meta, which intentionally used personal information for advertising without customer consent, did not exceed 100 billion won. In 2022, the Personal Information Protection Commission imposed penalty surcharges of 69.2 billion won on Google and 30.8 billion won on Meta.