South Korea’s privacy regulator imposed a record fine of 134.8 billion won ($97.2 million) on SK Telecom on Thursday over a hacking attack disclosed in April that exposed the SIM card information of over 23 million mobile users.

The Personal Information Protection Commission said it had also levied a 9.6 million won administrative penalty, citing “basic security failures and poor management” that left the country’s largest mobile carrier vulnerable to cyber intrusion.

SKT acknowledged “heavy responsibility” for the breach but said that it regrets that its remedial actions and explanations were “not sufficiently reflected in the decision.” The mobile carrier said it would closely review the ruling in detail once it receives the written decision before determining its next steps.

Investigators found that personal data, including phone numbers, subscriber identification numbers (IMSI) and SIM authentication keys, were leaked from LTE and 5G subscribers, as well as budget phone users. A total of 25 categories of data covering 23.2 million people were compromised.

"SKT had linked its internet, management and internal networks on the same system without restricting external access to its internal management servers," the PIPC said. "The management servers were unnecessarily connected to the Home Subscriber Server, where the breach occurred, allowing hackers to reach the HSS and extract data."

The commission also said the company failed to encrypt 26.1 million SIM authentication keys, leaving them exposed in plain-text databases.

The mobile carrier was also blamed for ignoring intrusion detection logs and not applying available security patches, including one released in 2016 for a known vulnerability. In addition, the carrier limited the role of its chief privacy officer to IT services, leaving its telecom infrastructure outside oversight, according to the PIPC.

The watchdog said the fine, though smaller than the 350 billion won maximum initially expected, marks the largest penalty it has ever imposed under South Korea’s Personal Information Protection Act.

Under the revised law, fines can be imposed at up to 3 percent of a company’s revenue. Based on SKT’s wireless service sales of about 12.8 trillion won last year, industry officials had estimated a potential penalty in the mid-300 billion won range.

Previous large fines include 69.2 billion won imposed on Google and 30.8 billion won on Meta for collecting user data without consent to target online ads.

The previous record in cases involving data leaks was the 15.1 billion won fine Kakao received last year after personal information from its open chat rooms was exposed. LG Uplus, another telecommunication firm, was fined 6.8 billion won for a separate breach that affected about 300,000 customers.

Following the April incident, SKT offered free SIM card replacements for all customers and compensation to dealers affected by business suspensions. After a joint government-private task force released its final findings, the company announced a commitment program that included waiving termination fees for departing users, a 50 percent discount on August bills for all customers, an additional 50 gigabytes of data and expanded membership benefits.