Largest Penalty Ever Imposed by Regulator

The Personal Information Protection Committee (PIPC) fined SK Telecom a record 134.8 billion won, or about $96.9 million, after investigating a major data breach earlier this year.

This fine is the largest ever imposed on a single company in South Korea for mishandling user data. It is far higher than the 69.2 billion won fine placed on Google in 2022 for collecting personal data without permission.

The PIPC also decided on an additional administrative penalty of 9.6 million won. Alongside the financial penalty, the regulator ordered corrective steps. These include regulators ordering a full inspection of SK Telecom’s systems, stronger cybersecurity measures, and an overhaul of how the company manages personal data.

The committee said the punishment was necessary because SK Telecom failed to use proper safeguards. It pointed out issues such as weak access control, poor management of user rights, failure to encrypt key information, and delays in notifying users about the breach.

Details of the Data Breach

The breach was first reported on April 22, when SK Telecom informed the PIPC that it had noticed unusual activity on its network a few days earlier. Investigators later confirmed that more than 23 million user records were exposed during the cyberattack.

The stolen information included phone numbers, international mobile subscriber identities, and more than 20 different types of universal subscriber identity module (USIM) data. These details are highly sensitive because they are linked to mobile services and user authentication.

Riders in Panic as Cyberattack Sparks Maryland Transit Information Meltdown

The South Korean government declared the company liable for the incident. It ruled that SK Telecom had failed to protect its customers’ personal data as required by law. As part of the response, the government also required the company to exempt customers from paying early termination fees if they decided to switch to other carriers.

In July, SK Telecom announced new plans to strengthen protections. It promised to spend 700 billion won on information security and another 500 billion won on customer protection measures. The company also said it would waive early termination fees as part of its relief plan for affected users.

Despite these steps, regulators concluded that the company had still neglected basic duties in handling personal data. They stressed that the scale of the breach, combined with the security lapses, justified the record-breaking penalty.

Debate Over Fairness of the Fine

The size of the fine has started a debate in the industry. Some experts expected the penalty to be about 100 billion won. Others thought it could go over 300 billion won. The Personal Information Protection Act allows fines of up to 3 percent of a company’s revenue. Last year, SK Telecom’s wireless business made 12.77 trillion won in revenue.

The final fine, while large, fell in between those expectations. Still, many in the market believe the penalty is unusually harsh compared to other cases.

Industry voices have questioned why SK Telecom’s case resulted in such a steep penalty when other violations drew much smaller fines. Some say this shows regulators are applying inconsistent standards. Others believe the high amount reflects the scale of the incident and the large number of customers affected.

Fox warns YouTube TV deal may lapse putting NFL and college football coverage at risk

SK Telecom said it accepts the decision with a “deep sense of responsibility.” It pledged to put customer data protection first. The company also said it will take every possible step to keep user information safe.

However, the company also expressed regret that the regulator’s final ruling did not reflect its own protection measures and explanations. It noted that it will wait for the written decision, which may take one to three months to arrive, before deciding whether to appeal.

Under the law, SK Telecom has 90 days after receiving the written decision to file an appeal or lawsuit if it chooses. For now, the fine remains the largest financial penalty ever handed down by South Korea’s data protection regulator.