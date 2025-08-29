SK Telecom suffered a data breach that was discovered in April 2025

It affected roughly 27 million people

The company was fined for it, and will need to make significant changes to its operations

SK Telecom (SKT), one of the biggest telecommunications services providers in South Korea, was fined almost $100 million for failing to protect user data.

In April 2025, the company discovered a malware breach that allowed threat actors to lurk within its systems for years. Some researchers even claim the attack started in August 2021.

The miscreants targeted SKT’s Home Subscriber Server (HSS) and other critical infrastructure, exposing sensitive subscriber data, including USIM authentication keys (KI), International Mobile Subscriber Identity (IMSI) numbers, IMEI device identifiers, phone numbers, email addresses, and possibly other personal data.

"Very weak condition"

Approximately 27 million people were affected by the breach.

Now, Reuters reports that the government-run Personal Information Protection Commission issued a statement, confirming the fine of about 134 billion won ($96.53 million) for “neglecting its duty to take safety measures” and for “delays in notifying the leak to customers”.

The statement also claims SKT’s systems were in a “very weak condition” which allowed threat actors to access the company’s intranet. There were no passwords, or other safety measures, defending the servers from outside influence, and operating systems were outdated and running without the latest security patches.

Besides being forced to pay the fine, the company will also have to “strengthen safety rules on information protection” and revamp its governance.

Responding to a Reuters inquiry, SK Telecom said it “felt a grave responsibility” and will make protecting customer information a “top priority”.

In response, it launched an “Information Security Innovation Plan”, that includes implementing zero-trust architecture, expanding encryption, forming a red team, elevating the CISO role to report directly to the CEO, and adding cybersecurity experts to the board.

Customers received free USIM card replacements, and were offered 50% off August subscription fees. Furthermore, whoever wanted to cancel their contract prematurely was allowed to do so without extra fees.

