Investigators cite systemic femtocell flaws and delayed breach response
KT is facing mounting government pressure to waive early termination fees for all subscribers after investigators concluded the company failed to provide secure and reliable mobile services. A government-led probe found that weaknesses in KT’s management of femtocell mini base stations were exploited in a wave of unauthorized mobile payment fraud earlier this year.
The findings were announced at a press briefing by the Ministry of Science and ICT, which said KT’s lapses amounted to a breach of its contractual duty to protect users. Based on the results, the government recommended that KT exempt customers from contract cancellation penalties — only the second time such a measure has been applied to a telecom operator, following a similar case involving SK Telecom.
Femtocell flaws exposed entire user base to risk
Investigators said the security failure went beyond the confirmed fraud victims and exposed all KT subscribers to potential eavesdropping and data interception. “KT failed to implement adequate safeguards to prevent unauthorized access,” the ministry said, adding that the risk was network-wide rather than isolated.
At the center of the issue were femtocells, small base stations used to boost mobile signals indoors. The investigation found that KT’s femtocell authentication system relied on a single manufacturer-issued certificate shared across devices. Once copied, illegal femtocells could obtain valid credentials from KT’s internal servers and connect to the network.
Compounding the problem, the certificates were valid for up to 10 years. Investigators said this meant that any femtocell that accessed the network even once could retain long-term access, significantly widening the attack surface.
Scope of the fraud and arrests
The payment fraud incidents occurred between late August and early September. Authorities confirmed that:
- 368 subscribers suffered unauthorized mobile payments totaling 243 million won
- 22,227 users’ phone numbers and mobile identity data were compromised
Police arrested multiple suspects, including Chinese nationals accused of operating illegal femtocells. One suspect allegedly used a vehicle equipped with unauthorized base stations to intercept authentication calls and messages, while accomplices converted the proceeds into cash. Investigators said it was the first reported case in Korea where femtocells were directly used for mobile payment fraud.
Malware infections and delayed disclosure
Separately, the investigation uncovered broader cybersecurity weaknesses inside KT’s internal systems. A joint public-private task force inspected roughly 33,000 servers and found 103 types of malware across 94 servers, including backdoor malware that enabled remote access.
Investigators said some infections dated back to April 2022, and criticized KT for failing to notify authorities after detecting malicious code in early 2024. Instead, the company deleted data from dozens of servers before reporting the incident, delaying efforts to assess the full scope of damage.
The ministry also noted that KT retained system logs for only one to two months, making it difficult to confirm whether subscriber data had been leaked. Four out of five legal review bodies consulted by the government concluded that KT had violated its obligation to provide secure service.
Regulatory implications and potential customer churn
Officials said the recommendation to waive termination fees should be treated as binding, citing legal interpretations that allow the ministry to demand such measures or suspend operations if a company refuses. If KT follows through, it could lead to increased customer switching.
Earlier this year, SK Telecom’s decision to waive early termination fees after a separate data breach contributed to a drop in its market share to 38.8%, which it has yet to recover.
KT response and next steps
KT said it is reviewing the investigation findings and will announce customer compensation and cybersecurity reform plans once finalized. The ministry has ordered the company to submit a comprehensive prevention plan by January and said it will review implementation by mid-year.
The case adds to growing regulatory scrutiny of telecom security practices, following multiple breaches across the industry, and signals that failure to safeguard networks may carry not only technical and legal consequences, but also direct commercial penalties.
