Privacy watchdog chief signals substantial fine for SKT over data breach

Korea’s privacy regulator chief said Thursday that SK Telecom (SKT) is likely to face a substantial fine, citing the severity of the recent data breach caused by the hacking incident.

Personal Information Protection Commission Chairperson Ko Hak-soo gives a lecture about Korea's personal data policies at a seminar hosted by the American Chamber of Commerce in Korea (Amcham) at Grand Hyatt Seoul in central Seoul on May 8. [PERSONAL INFORMATION PROTECTION COMMISSION]

Korea’s privacy regulator chief said Thursday that SK Telecom (SKT) is likely to face a substantial fine, citing the severity of the recent data breach caused by the hacking incident.

“The fine to be imposed against SKT is bound to be high considering the circumstances,” Personal Information Protection Commission (PIPC) chairman Ko Hak-soo told the Korea JoongAng Daily after a seminar hosted by the American Chamber of Commerce in Korea (Amcham) held at Grand Hyatt Seoul in central Seoul.

SKT’s data breach is often compared to a similar but far smaller hacking incident at rival LG U+, which was fined 6.8 billion won ($4.86 million) by the PIPC in July 2023 after a data leak affected 300,000 users.

“SKT’s penalty is likely to be higher than LG U+ for three reasons,” Ko said. “Legal revisions introduced since then allow for tougher sanctions, the scale of SKT’s leak is significantly larger affecting 25 million subscribers, and unlike LG U+, where the breach involved a supporting database, SKT’s data was compromised directly from its primary database.”

Under the revised Personal Information Protection Act since September 2023, fines are capped at 3 percent of the company’s total revenue, rather than just the revenue directly linked to the violation. However, to avoid excessively heavy penalties, companies may exclude portions of their revenue if they can provide evidence providing those amounts are unrelated to the violation.

When pressed for comment whether the fine would be an all-time-high for domestic companies, surpassing the 15.1 billion-won figure set by Kakao’s data breach in May 2024, Ko did not answer.

The privacy regulator has also been investigating major robot vacuum brands — including China’s Roborock, Ecovacs, and Xiaomi — since March, amid concerns that Chinese manufacturers may be improperly collecting and transmitting Korean users’ personal data overseas.

“I cannot say for certain when the investigation results will be released,” Ko said, adding that the PIPC is currently focused on examining privacy practices and legal compliance, rather than imposing penalties.

BY LEE JAE-LIM [lee.jaelim@joongang.co.kr]