South Korea’s privacy watchdog has slapped SK Telecom with a record ₩134.5 billion ($97 million) fine after finding that the mobile giant left its network wide open to hackers through a catalog of bungles.
The case stems from a breach disclosed in April, when SK Telecom admitted that hackers had swiped the universal subscriber identity module (USIM) data of almost 27 million subscribers. To put that in context, the population of the entire country is a shade over 50 million. The carrier tried to mitigate the fallout by offering free SIM replacements to affected customers, but regulators smelled something bigger and launched a full-blown probe into the leak.
The Personal Information Protection Commission (PIPC) said that the country’s biggest carrier “did not even implement basic access controls” between its internet-facing systems and internal management network. As a result, attackers were able to infiltrate SKT’s core systems, extract authentication data, and siphon off subscriber information at scale.
The privacy watchdog estimates that the damage was slightly less than SK Telecom initially claimed, with approximately 23 million subscribers affected by the breach – a mere 45 percent of the country’s population.
According to the regulator’s report, SKT failed at almost every layer of defense. The company allegedly didn’t check logs from intrusion detection systems so it ignored anomalous behavior while attackers quietly mapped out the operator’s infrastructure. In one particularly damning finding, the PIPC report said administrators had dumped thousands of server credentials in plaintext on a management network server.
Around 4,899 usernames and passwords for 2,365 servers were just sitting there, without so much as a password protecting access to Home Subscriber Server (HSS) databases, the regulator claimed.
It doesn’t take much imagination to guess what happened next. Armed with the harvested account details, intruders appear to have hopped into the management servers, installed malware, and queried the HSS database directly. From there, they were able to view and extract subscriber information without so much as a raised eyebrow from SKT’s monitoring teams.
The regulator also flagged failures around cryptography. It found that more than 26 million USIM authentication keys – the “Ki” values used to verify subscribers and provision mobile services – were left unencrypted in SKT’s databases. That blunder would have handed attackers the means to replicate SIM credentials, raising the specter of large-scale identity fraud or cloned devices piggybacking on legitimate accounts.
