South Korea’s largest mobile carrier has been hit with a record fine after a major data breach exposed the personal information of nearly half the country’s population.
The Personal Information Protection Commission (PIPC) announced on Thursday that it fined SK Telecom 134.8 billion won (about US$97 million) for weak security measures and failing to report breaches promptly. The regulator also ordered the company to strengthen its protections, citing years of lapses that left customer data vulnerable. This is the largest penalty the PIPC has issued since its establishment in 2020.
The case stems from a breach disclosed in April, when SK Telecom confirmed that hackers had stolen universal subscriber identity module (USIM) data. The company offered free replacements to affected users, while regulators launched a deeper investigation into the scope of the leak.
According to the PIPC, attackers obtained 25 types of data tied to 23.2 million customers on LTE and 5G plans. The compromised information included phone numbers and international mobile subscriber identities (IMSIs). Investigators found that intruders first accessed the company’s internal systems in August 2021 and again in June 2022, installing malware that later enabled the theft of 9.82 GB of user data on April 18, 2025.
The regulator concluded that the breach was enabled by basic security failures. In one instance, SK Telecom did not investigate after discovering unauthorized access to its home subscriber server in February 2022. The server, which stored sensitive personal data, could be accessed without proper authentication checks, the PIPC said.
“The company had been in a vulnerable state for quite a long time, with significant weaknesses in oversight,” PIPC Chairman Ko Haksoo said. “There were opportunities to identify and address these issues over time, but the company missed those chances and continued to overlook them. That left the company in a weak and exposed position, which frustrated committee members.”
The fallout has been building since the breach was revealed. In July, the Ministry of Science and ICT recommended that SK Telecom allow affected customers to cancel contracts without penalty. With the regulator’s fine and stern assessment now in place, pressure is mounting for the carrier to overhaul its data protection practices.
SK Telecom expressed regret over the PIPC’s decision. “We regret that our position and actions, which were fully explained during the investigation and deliberation, were not reflected in the outcome,” the company said.
Officials warn the implications go beyond typical concerns about ransomware or financial loss from stolen data. Lawmaker Yu Yong-weon, who proposed a National Cybersecurity Act in July, cautioned that the breach could pose national security risks. He said call data records could allow attackers to reconstruct call logs and potentially expose sensitive conversations involving senior officials. His proposed law would create a unified system for emergency response and intelligence-sharing to better counter cyber threats.
Concerns extend beyond South Korea. Reports have linked a hacking group known as Salt Typhoon, with alleged ties to China, to breaches of telecom operators in multiple countries. These incidents have raised alarms in the United States about potential surveillance of senior officials and risks to informants.
The SK Telecom incident highlights how telecom networks intersect with both consumer privacy and national security. For regulators in South Korea, the record fine sends a clear message: failure to protect personal data is not merely a business failure but a broader threat with serious consequences.
(Photo by Towfiqu barbhuiya)