South Korea’s largest telecommunications operator, SK Telecom, has been fined a record US$96.9 million after a cyberattack compromised the personal information of 23 million users. The penalty, issued by the Personal Information Protection Committee (PIPC), highlights intensifying regulatory scrutiny on telecom companies entrusted with sensitive customer data.
Scale of the Breach and Regulatory Response
The breach was first reported on April 22, 2025, after SK Telecom detected unusual traffic patterns that later revealed unauthorized access. A detailed investigation confirmed that attackers had compromised personal records including:
- Phone numbers
- International Mobile Subscriber Identity (IMSI) details
- 23 different types of Universal Subscriber Identity Module (USIM) identifiers
The PIPC determined that SK Telecom had failed to uphold adequate protections. Identified shortcomings included weak access controls, lack of encryption for USIM authentication keys, and delays in customer notification.
PIPC Chairperson Haksoo Ko stated:
“The company had been in a vulnerable state for quite a long time, with significant weaknesses across the board. There were opportunities to identify and address these issues over time, but the company missed those chances and continued to overlook them. This left the company in a weak and exposed position.”
This regulatory decision sets a new precedent, surpassing even the US$51 million fine imposed on Google in 2022. It underscores the rising pressure on telecom firms to secure personal information.
Mandated Security Improvements for SK Telecom
Alongside the fine, SK Telecom must conduct a comprehensive inspection of its security systems and implement sweeping reforms. Mandated measures include:
- Deployment of enhanced access controls
- Implementation of upgraded encryption protocols
- Appointment of a Chief Privacy Officer (CPO) to ensure governance and compliance oversight
PIPC Chairperson Haksoo Ko emphasized the wider implications:
“We hope this incident serves as a reminder for companies that process large volumes of personal data to view the personal information protection budget as an essential investment. We also expect it will raise awareness of the role and importance of CPOs and dedicated privacy teams in corporate management.”
Corporate Reaction and Financial Impact
SK Telecom acknowledged the fine in a statement, saying it accepted the decision “with a deep sense of responsibility.” The company pledged to prioritize data security but also voiced disappointment, remarking:
“It is regrettable that our customer protection measures and explanations were not reflected in the outcome. We will thoroughly review the written decision once it is delivered and then decide on our stance.”
The fine presents significant financial challenges. Despite having reportedly set aside reserves during its second and third quarter earnings, SK Telecom’s profitability will remain under pressure. Compounding the issue, regulators have mandated termination fee waivers for customers who choose to switch carriers after the breach.
Industry Comparisons and Regulatory Pressure
The US$96.9 million penalty dwarfs previous actions in South Korea’s telecom industry. By comparison:
- Kakao received an US$11 million fine for its data breach.
- LG Uplus faced a penalty of US$5 million.
Based on SK Telecom’s reported US$9.4 billion in wireless revenue, analysts note the fine could have reached as high as US$222 million under provisions of the Personal Information Protection Act (PIPA).
The decision signals regulators’ growing resolve to enforce strict penalties for insufficient cybersecurity. For global telecommunications providers, the case underscores both reputational and financial risks tied to inadequate data protection in an era of increasingly sophisticated cyber threats.
