Gov't urges KT to waive contract termination fees over hacking incident

The government urged KT on Monday to waive contract termination fees for all users after it was found to have failed to provide safe and reliable service in connection with a large-scale hacking incident.

Ryu Je-myung, second vice minister of science and ICT, speaks during a press briefing at the Government Complex Seoul in central Seoul on Dec. 29. [NEWS1]

The government urged KT on Monday to waive contract termination fees for all users after it was found to have failed to provide safe and reliable service in connection with a large-scale hacking incident.

Ninety-four KT servers had been infected with 103 types of malware, potentially exposing call data, according to the Ministry of Science and ICT during a press briefing at the Government Complex Seoul in central Seoul.

The KT hacking incident began in 2024 when the company detected malware on its internal servers but failed to report it. Public attention escalated earlier this year after investigators revealed that the breach compromised user data and involved unauthorized access through KT’s network.

A joint public-private investigation team inspected 33,000 servers across six rounds and uncovered malicious code such as the BPFDoor rootkit, malware installed to access a server from outside. The scale of the breach surpassed a hacking case at SK Telecom, where 33 types of malware were detected.

The findings suggest that KT’s network was infected as early as April 2022, and that the company delayed damage control by failing to report the breach in a timely manner.

A KT store is seen in Seoul on Dec. 29. [YONHAP]

Investigators said KT discovered the malicious code in March 2024, but failed to notify the government. Instead, the company deleted data from 41 servers on its own, which delayed efforts to assess the full scope of the breach.

In a separate incident, an unauthorized femtocell — a small base station used to boost mobile signals — accessed KT’s network and extracted sensitive subscriber information, including International Mobile Subscriber Identity, International Mobile Equipment Identity and phone numbers.

Authorities confirmed 22,227 users were affected and identified 368 cases of unauthorized micropayments totaling 243 million won ($170,000). Investigators said they could not verify damages that occurred before July 31 of last year, leaving open the possibility of additional unverified damage.

The investigation team also said the illegal femtocell stored KT’s digital certificate and authentication server IP address, and that the communication process lacked encryption, making it possible for attackers to intercept payment verification data sent through automated calls and text messages, as well as text messages and call content. They also found that KT did not enable encryption settings on some devices.

The ministry said KT’s systemic security failures met the conditions outlined in its terms of service for waiving termination fees. Officials noted that the breach impacted many users, not just a small group.

A telecom store in Seoul displays the logos of KT and LG U+ on Dec. 29. [YONHAP]

Four out of five legal review bodies concluded that KT violated its contractual obligation to provide secure service, validating user compensation claims. The ministry expects KT to apply contract termination fee waivers at a level similar to the SK Telecom case.

“We expect KT to consider the scope of the waiver and retroactive application from the consumer’s point of view,” Second Vice Science Minister Ryu Je-myung said.

The investigation team instructed KT to strengthen its security by expanding the use of endpoint protection tools, conducting quarterly security checks on all assets, retaining system logs for at least one year and establishing a centralized log management system. It also recommended appointing a chief information officer to oversee all company-wide assets and adopting a system to manage IT resources more effectively.

The ministry asked KT to submit its prevention plan by January next year and said it will review whether the measures have been properly implemented by June.

“We are taking the investigation findings seriously and will promptly announce our customer compensation and cybersecurity reform plans once finalized,” KT said.

In a separate hacking case involving LG U+, investigators said attackers breached the company’s integrated server access control system and leaked a list of servers, account credentials and employee names.

They added that LG U+ reformatted or discarded the affected server operating systems after the breach, making it difficult to verify the full extent of the intrusion. The Science Ministry has requested a police investigation in response.

“LG U+ will cooperate fully with the investigation,” the company said.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom. BY JEONG JAE-HONG [paik.jihwan@joongang.co.kr]