SK Telecom Fined US$96.9m after Data Breach Hits 23m Users

South Korea's leading telecommunications company, SK Telecom, has been levied a record penalty by the country's privacy regulator following a massive cyberattack in April.

This breach involved unauthorised access to data belonging to over 23 million users.

The Personal Information Protection Committee (PIPC) imposed a fine of US$96.9m on the operator, marking the highest penalty ever enforced in the telecom sector by the regulator.

This financial sanction surpasses previous penalties against technology giants like Google, who faced a US$51m fine in 2022.

It underscores the intense regulatory scrutiny that telecom operators are now experiencing as custodians of sensitive user information.

Data breach details

On 22 April 2025, SK Telecom reported an incident after noticing unusual traffic patterns.

A detailed investigation revealed that personal records, including phone numbers, International Mobile Subscriber Identity (IMSI) data and 23 different types of Universal Subscriber Identity Module (USIM) identifiers, had been compromised.

The PIPC identified lapses in SK Telecom's data security measures, including inadequate access controls, failure to encrypt USIM authentication keys and delays in notifying affected customers.

These failures highlighted systemic issues in the governance of personal data protection.

PIPC Chairperson Haksoo Ko commented: “The company had been in a vulnerable state for quite a long time, with significant weaknesses across the board.

"There were opportunities to identify and address these issues over time, but the company missed those chances and continued to overlook them. This left the company in a weak and exposed position.”

Mandated security improvements

Beyond the hefty fine, SK Telecom is required to carry out an exhaustive inspection of its security framework and enact broad reforms to strengthen its data governance practices.

These measures involve implementing more stringent access controls, upgrading encryption protocols and designating a Chief Privacy Officer to ensure comprehensive compliance oversight.

Corporate reaction and financial implications

SK Telecom issued a statement saying it accepted the decision “with a deep sense of responsibility” and pledged to prioritise safeguarding customer data across all its operations.

However, it indicated disappointment, noting: “It is regrettable that our customer protection measures and explanations were not reflected in the outcome. We will thoroughly review the written decision once it is delivered and then decide on our stance.”

The penalty poses profitability challenges for South Korea's largest mobile operator.

Although it reportedly reserved financial costs for this eventuality during the second and third quarter earnings, the operator's profitability will remain pressured, especially since the government has mandated termination fee waivers for customers opting to switch carriers post-breach.

Regulatory challenges and industry impact

The size of SK Telecom's fine has sparked debate about consistency in regulatory penalties.

Comparisons are drawn to Kakao's US$11m fine and LG Uplus' US$5m penalty for similar breaches.

Analyses suggest that the penalty imposed on SK Telecom could have been as high as US$222m, based on its wireless revenue of US$9.4bn, as per the Personal Information Protection Act provisions.

For global telecommunications providers, this case serves as a stark reminder of the reputational and financial risks tied to insufficient data protection measures.

As cyber threats become more sophisticated, regulators are ready to enforce strict penalties and showcase their commitment to stringent data security standards.

The incident underlines the importance of robust governance structures, including appointing chief privacy officers and dedicated security teams.

For operators managing data on a national scale, investments in encryption, intrusion detection and access policy controls are crucial and non-negotiable essentials.

Ultimately, this case emphasises dwindling regulatory tolerance for data mismanagement and serves as a cautionary tale for telecom companies globally.

In an era where networks function as critical infrastructure, operators need to prepare for increased scrutiny on their security protocols, customer communication procedures and overall data access governance.