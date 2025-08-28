The data protection regulator on Thursday penalized major wireless carrier SK Telecom Co. a record 134.8 billion won ($96.9 million) over a massive data breach that affected its entire 23 million user base.

It marks the highest-ever penalty the Personal Information Protection Commission has imposed since its launch in 2020.

In April, SK Telecom belatedly disclosed a major leak of universal subscriber identity module data from its servers, prompting the company to offer free USIM replacements to all of its users and an investigation by the regulator.

According to the PIPC's investigation, 25 types of data of 23.2 million subscribers to the company's LTE and 5G networks, including phone numbers and international mobile subscriber identity, were leaked due to a cyberattack.

The investigation found that hackers first infiltrated the company's internal network to install malware in August 2021 and again in June 2022 before taking 9.82 gigabytes of personal user data on April 18 this year.

The regulator determined that the leak took place as the carrier did not take basic security measures and poorly managed its internal servers.

For instance, the company did not carry out inspections after it discovered that hackers had accessed its home subscriber server storing user information in February 2022, according to the PIPC.

The personal information stored on the server could also be accessed without any authentication procedures.

The PIPC also said the company did not carry out basic security updates, exposing itself to cyberattacks.

The company installed an operating system with security vulnerabilities in November 2016 but did not conduct security updates even until the data leak this April.

Along with the penalty, the PIPC ordered the carrier to strengthen its security measures and make changes to its governance structure so that the chief privacy executive oversees the company's entire personal information operations.

In order to prevent similar cases, the PIPC plans to announce measures to strengthen personal information protection next month. (Yonhap)