South Korea’s data protection authority has slapped SK Telecom with a record penalty of 134.8 billion won ($97 million) after a large-scale cyberattack earlier this year exposed customer information. The April incident leaked SIM card details and other personal data of more than 23 million users, almost half the nation’s population, marking one of the country’s most significant privacy breaches to date.
The Personal Information Protection Commission (PIPC), which announced the penalty on Thursday, said the carrier had failed to maintain basic safeguards, leaving its systems vulnerable to hackers. In addition to the record fine, SK Telecom was ordered to pay an extra 9.6 million won ($7,000) for not reporting the incident within the required 72-hour window.
The fine marks the largest penalty ever imposed under South Korea’s Personal Information Protection Act, surpassing the KRW69.2 billion levied on Google and KRW30.8 billion on Meta in 2022. Previous record penalties for data leaks were much smaller, including KRW15.1 billion against Kakao and KRW6.8 billion against LG Uplus. The unprecedented scale of SK Telecom’s breach, however, pushed regulators to take a tougher stance.
Investigators found that the attack exposed 25 categories of data belonging to more than 23 million users, including phone numbers, SIM authentication keys, and international subscriber identification details. Alarming lapses in SK Telecom’s internal systems were cited, including the linking of internet and internal management servers, the failure to encrypt sensitive SIM data, and the neglect of long-known security vulnerabilities.
The PIPC concluded that SK Telecom’s security management was deeply inadequate. Its chief privacy officer only had oversight of IT services and apps, leaving core telecom operations outside supervision. Logs of intrusion attempts were ignored, and outdated systems remained in place until after the breach. Regulators stated that these failures constituted multiple violations of the Personal Information Protection Act.
SK Telecom has acknowledged “serious responsibility” for the breach but voiced frustration that its remedial measures were not reflected in the regulator’s final decision. Since April, the company has offered free SIM card replacements, waived early termination fees for customers who wish to leave, and introduced a KRW 700 billion plan to enhance information security. It also launched an accountability program in July aimed at strengthening customer trust.
Despite these moves, the regulator stressed that penalties were necessary to send a strong message. “This investigation is not only about sanctioning one company but also about reaffirming the importance of personal data protection across society,” PIPC Chair Ko Hak-soo said. He added that businesses should treat investments in privacy safeguards as essential, not optional.
The commission has also ordered corrective measures, including a complete overhaul of SK Telecom’s data governance framework. A chief privacy officer will now be tasked with company-wide oversight, and system-wide security upgrades must be implemented to prevent future lapses. The Korea Internet and Security Agency (KISA) will continue working with the PIPC in monitoring compliance.
While the final fine was lower than the KRW 300 billion some industry officials initially anticipated, it remains a significant blow to SK Telecom’s reputation. Analysts note that beyond financial penalties, the incident may erode consumer trust and increase long-term compliance costs. With regulators worldwide taking a firmer stance on cybersecurity, the case is being seen as a wake-up call for companies across industries to tighten their data protection practices.
