Chairperson Ko Hak-soo of the Personal Information Protection Commission said, "The case involving SK Telecom (data breach incident) is, based on the circumstances we see, an unprecedented event," and noted, "We are looking into the matter seriously with a sense of urgency."
Chairperson Ko made this statement on the 21st at a personal information policy forum co-hosted by the Personal Information Protection Commission and the Korean Chief Privacy Officer Council (KPOC) at the Bank Hall in Jung-gu, Seoul. He pointed out, "Fundamentally, there has been a national-level damage, and while some are providing hints to prove the occurrence of the damage, the damage has already been greatly incurred, and the company was unable to prevent it."
He stated, "All data of 25 million customers in the HSS (Subscriber Authentication System) of SK Telecom has been hacked," adding, "A report was received by the Personal Information Protection Commission on April 22, and there is no doubt that the personal information has been leaked since that day." He emphasized this. When asked if hacked personal information from SK Telecom has been leaked on the dark web, he replied, "Nothing has been found yet," but added, "There are difficulties in monitoring."
When asked about the perpetrators behind the hacking, Chairperson Ko mentioned, "Many hacking incidents face significant difficulties in accurately identifying the cause or confirming the perpetrators," and stated, "There were traces of data that went through Singapore from the HSS, and it is difficult to ascertain who controlled the Singapore IP address."
Chairperson Ko also expressed strong regret while reflecting on the process of SK Telecom notifying individual users about the information leak. He noted, "The notice from SK Telecom was decided on May 2 and was communicated on the 9th, but there is much regret regarding this matter. It is problematic that they had not notified until that point, and there were contents in the notice indicating 'the possibility of a leak will be informed later,' which did not comply with legal requirements." He continued, "It was not an adequate notification, and the belated and inadequate response itself is a problem," adding that he has sent an official letter to SK Telecom indicating that the notification was insufficient.
He also expressed concern, saying, "Of course, we must monitor and make efforts to minimize the possibility of secondary damage, but significant damage has already occurred," adding, "It is incorrect to say that the real damage occurs only if secondary damage happens, as there are various forms of secondary damage even if it is not through cloned phones."
Earlier, during his opening remarks at the forum that day, he stated, "The SK Telecom data breach incident is a very serious incident that threatens public trust in the era of digital transformation and deepening artificial intelligence," stressing, "We will impose strict sanctions against violations of the law."
The Personal Information Protection Commission has established a task force (TF) to investigate the matter, considering the seriousness of the issue since the report of the leak from SK Telecom was received on the 22nd of last month. On the 2nd of this month, an emergency general meeting was held to resolve to have SK Telecom notify individual users of the leak.