The Ministry of Science and ICT announced the results of its investigation into the hacking incident involving the domestic No. 1 mobile operator, SK Telecom, which has about 25 million subscribers (including budget phones), on the 4th. Ryu Je-myung, the second vice minister of the Ministry of Science and ICT, who conducted the announcement at the Seoul Government Complex in Jongno-gu, stated, "SK Telecom did not fulfill its obligation as a service provider to provide safe communication services," and added, "Since it failed to meet the standards set forth in the relevant laws, we determined that SK Telecom was at fault."
Industry experts predict that SK Telecom, which leaked subscriber USIM (Subscriber Identity Module) information for about 27 million people due to a hacking attack, could be fined over 500 billion won, marking a 'record-breaking penalty surcharge'. The penalty surcharge for violations of the Personal Information Protection Act can be up to 3% of maximum revenue. SK Telecom's revenue last year reached approximately 17.94 trillion won, which means that a maximum penalty surcharge of 530 billion won could be imposed.
The penalty surcharge related to SK Telecom's violations of the Personal Information Protection Act will be determined by the Personal Information Protection Commission. Given that the Ministry of Science and ICT announced a 'series of responsible causes,' it is expected to have a significant impact on the amount of the penalty surcharge that will be imposed on SK Telecom in the future. The Personal Information Protection Commission previously classified the SK Telecom leak incident as a 'record-breaking event' and expressed a commitment to impose severe penalties. SK Telecom is expected to argue that there were no actual damages, rather than the scope of the infringements, to reduce the penalty surcharge amount.
President Lee Jae-myung mentioning the SK Telecom issue the previous day is also considered a factor lending weight to the outlook for the 'record-breaking penalty surcharge.' Spokesperson Kang Yu-jeong noted that after President Lee received a report from the National Security Office and the AI Future Planning Office during a meeting of senior and advisory officials, he stated, "There should be no situations where victims incur losses due to the company's fault during the contract termination process," and emphasized that public sentiment regarding victim harm must be adequately reflected, and legal interpretations should actively favor the victims.
The Ministry of Science and ICT concluded that based on the findings of a joint public-private investigation team that investigated the cyber intrusion incident at SK Telecom, the company had issues with ▲ inadequate management of account information ▲ insufficient response to past intrusion incidents ▲ and failure to take necessary encryption measures for important information. It was also confirmed that SK Telecom violated the Telecommunications Network Act.
SK Telecom is also expected to face fines due to the late reporting of the cyber intrusion incident. The company first detected the hacking incident at around 11:20 p.m. on April 18. The report to the Korea Internet & Security Agency (KISA) regarding the intrusion incident was submitted at 4:46 p.m. on April 20. The Telecommunications Network Act stipulates that a report must be made within 24 hours of recognizing an incident, and a fine of 30 million won will be imposed for violations. SK Telecom reported the intrusion incident approximately 41 hours after the recognition.
There will also be a legal dispute with the Ministry of Science and ICT. The ministry ordered SK Telecom to preserve data for the analysis of the cause of the intrusion incident on April 21, according to the Telecommunications Network Act. After receiving the order, SK Telecom took voluntary action rendering forensic analysis impossible on two servers about two hours later. Failure to comply with the data preservation order could result in a prison sentence of up to two years or a fine of up to 20 million won. The Ministry of Science and ICT plans to refer this matter to the investigative agency.