The joint public-private investigation team (hereafter, the investigation team) operated by the Ministry of Science and ICT announced interim findings on the KT hacking and breach incident on the 6th. The investigation team said that, after investigating KT's unauthorized small-sum charges and personal data leak incident, multiple lapses in security management were revealed, including lax femtocell management, failure to report malware, delayed breach notification, and false reporting of the server disposal timeline.
◇ Breach caused by lax femtocell management
KT said it first discovered on Sept. 8 that small-sum charges and personal data leaks had occurred through illegal femtocells. Analyzing KT base station access logs and payment records from Aug. 1, 2024, to Sept. 10, 2025, the investigation team confirmed that the personal information of 22,227 subscribers had been leaked through 20 illegal femtocells. It also found that 368 people suffered a total of 243.19 million won in small-sum charge damages in this incident.
In particular, KT was flagged for having a serious problem in its femtocell management system. All femtocells supplied to KT used the same certificate, allowing illegal femtocells to easily connect to KT's internal network. The investigation team found that KT set the certificate validity period to 10 years, enabling a femtocell that had connected once to continue accessing the KT network.
◇ Failure to report malware and delayed breach notification
The investigation team also found that KT failed to report servers infected with malware such as BPFDoor in the past and handled them internally. From March to July 2024, KT discovered 43 infected servers that stored personal information such as names, phone numbers, email addresses, and device identifiers (IMEI). However, KT did not report this to the government and handled it internally.
In addition, KT was notified by police on Sept. 1, 2025, of the occurrence of unauthorized small-sum charges and took blocking measures on Sept. 5, but it was revealed that KT did not report the breach until Sept. 8, after confirming the illegal femtocell ID. In this regard, there is a possibility of fines of up to 30 million won under the Act on Promotion of Information and Communications Network Utilization and Information Protection.
◇ False reporting of server disposal timing
KT was also found to have falsely reported the timing of server disposal. According to the investigation team, KT reported that it disposed of servers on Aug. 1, 2024, but it was confirmed that the company actually disposed of servers multiple times from Aug. 1 to Aug. 13. KT also did not submit backup logs for the disposed servers, and circumstances indicated that it hindered the government's investigation through false reporting.
The investigation team determined that KT violated Article 137 of the Criminal Act (obstruction of the execution of official duties by fraudulent means) and referred the matter to investigative authorities. It also found that, through a security check, KT discovered traces of a server breach on Sept. 15, 2025, but did not report the breach until Sept. 18.
The investigation team will determine how payment authentication information and personal information were stolen through the illegal femtocells, including issues related to decryption. It will also clarify the areas where KT must bear legal responsibility and prepare measures to prevent a recurrence. The Ministry of Science and ICT will review KT's terms of service and then announce whether there are legal grounds for a waiver of penalty fees.