Korea’s privacy watchdog has fined SK Telecom 134.8 billion won (€83 million) only four months after the company reported a data breach.
Shutterstock.com/SundryPhotography
The Personal Information Protection Commission (PIPC) said today that the mobile carrier neglected to put in place sufficient security measures or properly comply with breach notification requirements. It said a major hacking incident exposed the personal data of over 23 million SK Telecom users, including their phone numbers and SIM authentication keys.
According to the PIPC, a three-month investigation revealed that basic security failures and poor management had left the customer data exposed to the attack. It said hackers first infiltrated SKT’s network in August 2021, installed malicious programs on multiple servers and ultimately leaked user personal information in April 2025.
The regulator cited sweeping violations of the Personal Information Protection Act’s safety requirements, including a lack of access control measures and a failure to install security updates despite being aware of system vulnerabilities.
SK Telecom also stored sensitive data in plain text without encryption, and neglected to establish and implement internal safety management plans, the PIPC said. The systems where the leak occurred were not effectively managed or supervised by the company’s chief privacy officer, it added.
Delayed breach notification further exacerbated “the social confusion” in the aftermath of the attack, the authority said. The operator first detected the breach on April 19 but failed to notify affected users within the legally required 72-hour period, it added.
PIPC chairman Ko Haksoo said the incident should prompt businesses handling large amounts of personal information to view the allocation of budgets and personnel “as a necessary investment rather than a mere expense.”
“I hope this leads to a greater recognition of the role and importance of chief privacy officers (CPOs) and dedicated teams in corporate management, thereby strengthening the overall data protection framework”, he said.
The PIPC said it decided to impose a fine of 134.8 billion won (€83 million) for the various safety failures, as well as a penalty of 9.6 million won (€5,915) for SK’s delayed breach notification. This penalty surpasses the regulator’s previous record penalty, which was a combined 100 billion won (€71.9 million) fine issued against Google and Meta in 2022 – 69.2 billion won for Google (€49.7 million) and 30.8 billion won for Meta (€22.1 million) – over their tracking of users behaviour for targeted advertising.
In addition to the fine, the Korean watchdog today handed SK a corrective order to strengthen its security measures and establish a more secure governance system across the company.
SK Telecom could not be reached for comment.