Original article Total Telecom:Read More
News
The fine is the largest ever imposed by South Korea’s Personal Information Protection Committee (PIPC)
This week, South Korea’s privacy regulator has announced it will fine SK Telecom 134.8 billion won (~$97 million) in response to a data breach the company revealed in April.
The fine is the largest in the PIPC’s history to date. Prior to this, the committee’s largest fines were those levied against Google and Meta in 2022 for collecting consumer data without consent. The tech giants were fined 69.2 billion won (~$50 million) and 30.8 billion won (~$22 million), respectively.
The cyberattack in question took place on June 15, 2022, but was not reported to the Korea Internet & Security Agency (KISA) by SKT until April 22 this year, suggesting that installed malware remained undetected for three years.
Reports suggest that 23 of SKT’s servers were impacted, which collectively held four different types of USIM data, including International Mobile Subscriber Identity (IMSI) numbers. These unique numbers are used to identify individual customers.
In total, 9.32 gigabytes of USIM-related data, including 26.9 million IMSI numbers, were compromised in the attack and may have been leaked.
In response to the breach, SKT pledged to bolster its cybersecurity, as well as offering free USIM card replacements to all affected subscribers. The company also paused its acquisition of new subscribers, only restarting the process in June.
In its announcement, the PIPC described SKT’s internal cybersecurity system as having been in a “very weak condition”, saying the company had failed to properly manage access rights to customer data and did not encrypt USIM authentication keys. It also accused the company of delaying notifying affected customers.
As such, alongside the punitive fine, the PIPC has also approved corrective measures from SKT, which include a system audit, additional security measures, and a review of the company’s data governance policies.
“We hope this incident serves as a reminder for companies that process large volumes of personal data to view the personal information protection budgets as an essential investment,” said PIPC Chairperson Ko Hak-soo in a press conference. “We also expect it will raise awareness of the role and importance of CPOs (Chief Privacy Officers) and dedicated privacy teams in corporate management.”
SKT responded to the announcement by saying that it took the decision “with a deep sense of responsibility”, but said it was “regrettable” that the company’s “customer protection measures and explanations were not reflected in the outcome”.
SKT announced in July that it will invest 700 billion won (~$500,000) in a new information security plan and 500 billion won (~$360,000) in a customer protection plan over the next five years.
It is unclear whether the operator will appeal the regulator’s decision.
Also in the news:
US judge rules Huawei must face charges of fraud and racketeering
Optus ditches football rights to focus on telecoms
Nokia launches digital twin platform Enscryb to digitalise energy sector