SK Telecom ordered to waive cancellation fees after data breach

Travelers wait to replace SIM cards at the SK Telecom roaming center at Incheon International Airport on May 1. /News1

The South Korean government has ruled that SK Telecom must not charge penalty fees to customers who want to switch carriers following the recent hacking incident. It also announced plans to request a criminal investigation into the mobile carrier’s failure to comply with a data preservation order during the breach response.

A joint public-private investigation team led by the Ministry of Science and ICT on July 4 released its final report on the SK Telecom hacking case. The investigation found that SK Telecom was negligent in protecting SIM card information and violated the Information and Communications Network Act. The company’s fault in the breach was confirmed, making it justified to waive penalty fees for affected customers.

South Korea’s three major telecom operators offer discounts or subsidies to customers who agree not to change carriers for a certain period. SK Telecom’s terms state that customers are exempt from penalty fees if they cancel service due to the company’s fault. Given SK Telecom’s negligence in this case, customers wishing to leave the carrier should not be charged penalty fees. Last month, SK Telecom CEO Ryu Young-sang estimated the company could face losses exceeding 7 trillion won ($5.1 billion) over three years if penalty fees were waived.

The investigation examined all 42,605 SK Telecom servers, finding 28 infected servers and 33 types of malware—more than previously reported in the second investigation. The types of leaked information, including phone numbers and subscriber IDs, remained the same at 25 categories. The breach’s initial infection date was revised to August 2021, earlier than the previous estimate of June 2022.

The report found that poor management of account information allowed the breach to happen. Despite a prior hacking incident in February 2022, SK Telecom’s inadequate response missed the chance to prevent this larger attack. The investigation revealed that the company stored SIM authentication keys without encryption, which could allow SIM cloning.

SK Telecom also violated the Information and Communications Network Act by reporting the breach late, beyond the required 24-hour period. The company may face fines up to 30 million won under Article 76. The Ministry of Science and ICT had ordered SK Telecom to preserve data for analysis, but the company submitted two servers in a condition that prevented forensic examination. Due to this, the government plans to request a criminal investigation.