SK Telecom's response to the SIM card hacking incident has been criticized by the political sector and public opinion for being inadequate, while the cases of hefty compensation paid by U.S. telecom companies that experienced customer data breaches are gaining attention. In South Korea, the penalty surcharge for large-scale personal information leaks is small, prompting calls for stricter penalties.
According to the National Assembly on the 1st, the Science, Technology, Information, Broadcasting, and Communications Committee decided to hold a hearing on the SK Telecom SIM card hacking incident on the 8th and has summoned Chey Tae-won, chairman of SK Group, as a witness.
Since the 2020s, large telecom companies in the U.S. such as T-Mobile and AT&T have experienced customer information leaks. T-Mobile, one of the three major wireless carriers in the U.S., faced a significant data breach in 2021, affecting over 76.6 million current and former customers, with names, birth dates, social security numbers, driver's license numbers, and other sensitive information leaked. Out of these, 850,000 customers had their account passwords (PINs) exposed, prompting the company to take forced reset measures.
T-Mobile informed customers of the attack and sent email and text alerts to all customers, offering free McAfee security services for two years, regardless of whether they were affected.
In response, consumers filed a lawsuit against T-Mobile, which agreed to pay $350 million (approximately 459 billion won) in compensation. Accordingly, T-Mobile customers will receive compensation up to $25,000 (approximately 32 million won) per person, depending on the extent of their damages. Additionally, T-Mobile decided to invest $150 million (approximately 200 billion won) in its cybersecurity sector by 2023.
AT&T, the top telecom provider in the U.S. by market share, has also been involved in several customer information leaks. In 2023, customer proprietary network information (CPNI) containing names, wireless phone numbers, line counts, call volumes, and plans for 8.9 million customers was leaked from an external marketing company's cloud storage. As a result, AT&T had to pay a penalty surcharge of $13 million (approximately 17 billion won) to the Federal Communications Commission (FCC).
The following year, it was revealed that the call and text records of approximately 109 million customers were hacked, causing an uproar. The scope of the damage involved all customer call and text records generated between May and October 2022, during which AT&T negotiated with hackers to pay $370,000 (approximately 550 million won) and delete the data.
In March of the previous year, AT&T also revealed that personal data of approximately 7.6 million current account users and about 65.4 million former customers had been leaked to the dark web. AT&T is currently under investigation by the FCC for these incidents and is facing over 20 individual and class-action lawsuits across various U.S. states, including Texas and California.
The scale of penalty surcharges imposed in South Korea differs from this. The Personal Information Protection Commission imposed a penalty surcharge of 6.8 billion won on LG Uplus for leaking approximately 300,000 customer records due to a hacking attack in July 2023.
Kakao was fined 15.1 billion won related to the leak of 65,000 user personal information due to security vulnerabilities in the KakaoTalk open chat feature last year, marking the highest amount of penalty surcharge imposed on a corporation for personal data breaches.
Earlier this year, indoor screen golf company GOLFZON was notified of a penalty surcharge of 7.5 billion won due to the leak of over 2.21 million pieces of customer and employee personal data to the dark web.
Regarding the SK Telecom hacking incident, Choi Jang-hyuk, vice chairman of the Personal Information Protection Commission, noted at a regular briefing on the 29th of last month, “Fundamentally, this will be on a different level than LG Uplus's (personal data leak),” indicating the possibility of a higher penalty surcharge.