The KT board of directors on the 4th decided to replace the USIMs (subscriber identity modules) of all of its customers free of charge. Questions are being raised about why KT, which had insisted there were no traces of USIM hacking, suddenly moved to replace USIMs at an expense of more than 100 billion won. In September, KT said the cause of the unauthorized small-payment hacking incidents was hacking via illegal femtocells (ultra-small base stations).
◇ USIMs weren't breached, yet spending 100 billion won to replace them?
On the 5th, KT began free USIM replacements for about 16 million subscribers, including about 3 million budget phone subscribers. The industry expects that if KT replaces USIMs for all customers, it will cost at least 100 billion won in expense.
So why is KT moving to replace the USIMs of all customers at an expense in the 100 billion won range? KT said the decision was made to allay customer security concerns. It noted it was a bold move to restore customer trust.
Even so, some experts say they cannot understand KT's decision. Kim Yong-dae, a professor at the KAIST School of Electrical Engineering, said, "It would be more appropriate to replace the hardware security module (HSM) of the femtocell identified as the cause of the hacking incident, so I do not understand why they are replacing USIMs, which are unrelated to the hacking."
When the SK Telecom hacking incident surfaced in April, there were indications that USIM authentication keys had been hacked, so a USIM replacement for all customers was necessary. But KT has maintained that USIM authentication keys were never hacked. Some even suspect that "KT is actually aware of indications of USIM hacking but embarked on a 'big-expense show' to cover it up."
What fueled suspicions about KT's USIM replacement decision was the controversy over KT's server disposal. The Korea Internet & Security Agency (KISA) in July notified KT of indications of a server hack, but KT disposed of the server while saying "there was no breach." Afterward, the Ministry of Science and ICT asked police to investigate, saying KT obstructed the government probe and was suspected of submitting false documents and concealing evidence.
◇ The path of the personal data leak remains "shrouded in fog"
In September, KT acknowledged that, through illegal femtocells, customers' device identifiers (IMEI), international mobile subscriber identities (IMSI), and mobile phone numbers had been leaked. In this process, 22,227 customers were suspected of having personal data leaked, and 368 people were confirmed victims of unauthorized small payments. However, the path of leakage for personal data needed for payment authentication—such as name, date of birth, and sex—remains uncertain. Possibilities of hacks on KT's internal servers and USIMs have been raised, but KT has denied them.
KT also says it will decide whether to waive termination penalties due to the hacking only after the government's final investigation results are released. The industry expects that demand for number portability will not be large as all three telecom companies were hacked and the perception has spread that "there is no longer a safe telecom company," but KT remains silent. According to the Korea Telecommunications Operators Association (KTOA), the number of number portability cases among the three telecom companies in Oct. was 600,066, down 6.8% from September's 643,875. Despite the hacking's impact, KT's subscribers fell by only a net 6,523 last month.
According to the telecom industry, SK Telecom, which has about 23 million subscribers, suffered a loss of about 70 billion won due to penalty waivers. KT has about 13 million subscribers, roughly 10 million fewer. A telecom industry official said, "Recently, demand for number portability has decreased, and the number of subscribers is smaller, so even if KT proactively moves to waive penalties, the loss would be less than SK Telecom's 70 billion won," adding, "It seems contradictory from the standpoint of corporations that should pursue profit to be passive about penalty waivers while spending as much as 100 billion won on USIM replacements unrelated to the cause of the hacking."
Some say KT was pressured to replace USIMs during last month's National Assembly audit. Another telecom industry official said, "If KT decided to replace USIMs because of pressure from the National Assembly, it should also have made a decision on the more intense pressure regarding penalty waivers," adding, "I do not understand why it is only replacing USIMs."