SK Telecom Face Mammoth US$97m Data Breach Fine
South Korea’s privacy regulator has imposed a record penalty on SK Telecom following a major cyberattack in April that compromised data belonging to more than 23 million users. The Personal Information Protection Committee (PIPC) fined the operator US$96.9m, the most significant sanction ever levied against a single company in the telecommunications sector by the watchdog.
The fine eclipses earlier penalties against global firms such as Google, which was fined US$51m in 2022 and illustrates the scale of regulatory pressure telecom operators now face as custodians of sensitive customer data.
Scope of the data breach
SK Telecom reported the incident on 22 April 2025 after detecting unusual traffic flows days earlier. The subsequent investigation confirmed that attackers had exfiltrated personal records, including phone numbers,
International Mobile Subscriber Identity (IMSI) data and 23 types of Universal Subscriber Identity Module (USIM) identifiers.
According to the PIPC, the operator failed to implement robust access control policies, neglected to encrypt USIM authentication keys and delayed notifying its customers. The commission further highlighted long-standing weaknesses in SK Telecom’s governance of personal data protection.
PIPC Chairperson Haksoo Ko commented: “The company had been in a vulnerable state for quite a long time, with significant weaknesses across the board.
"There were opportunities to identify and address these issues over time, but the company missed those chances and continued to overlook them. This left the company in a weak and exposed position.”
Corrective measures and mandated governance overhaul
In addition to the financial sanction, the PIPC has ordered SK Telecom to conduct a comprehensive security system inspection and implement company-wide reforms to enhance personal data governance.
Measures include stricter access controls, enhanced encryption standards and the appointment of a Chief Privacy Officer empowered to oversee end-to-end compliance.
“We hope this incident serves as a reminder for companies that process large volumes of personal data to view the personal information protection budget as an essential investment.
"We also expect it will raise awareness of the role and importance of CPOs and dedicated privacy teams in corporate management.”
SK Telecom’s response and financial concerns
SK Telecom issued a statement saying it accepted the decision “with a deep sense of responsibility” and pledged to prioritise safeguarding customer data across all its operations.
However, it indicated disappointment, noting: “It is regrettable that our customer protection measures and explanations were not reflected in the outcome. We will thoroughly review the written decision once it is delivered and then decide on our stance.”
The fine raises concerns about profitability for South Korea’s largest mobile operator. Industry officials estimate that it had already set aside costs in the second and third quarter earnings reports.
Still, profitability remains under pressure, particularly as the government has directed the operator to waive termination fees for customers choosing to switch carriers after the breach.
Regulatory inconsistencies and market comparisons
The size of the fine has fuelled debate about consistency in regulatory enforcement. In contrast, Kakao was fined just US$11m for its open chatroom data leak, while LG Uplus paid US$5m following a similar breach last year. With fines legally permitted to reach three percent of company revenue under the Personal Information Protection Act, some commentators had expected SK Telecom’s penalty to be as high as US$222m, given its wireless revenue of US$9.4bn.
Market analysts suggest the discrepancy in fines may create uncertainty around regulatory expectations for future cases. The unexpectedly significant penalty has also raised concerns about SK Telecom’s financial standing.
Implications for the telecommunications industry
For operators worldwide, the SK Telecom case exemplifies both the reputational and financial risks associated with failing to protect customer data adequately. As cyberattacks grow more sophisticated, regulators are signalling tougher enforcement and a readiness to impose record-breaking fines.
The ruling further highlights the role of governance structures, with a focus on chief privacy officers and dedicated security teams. For telecommunications providers that manage data at a national scale, investment in encryption, intrusion detection and access policy control is no longer optional but essential.
Beyond short-term compliance, the incident serves as a warning to telcos that regulatory tolerance for the mismanagement of subscriber data is diminishing.
With networks serving as critical infrastructure, operators must anticipate tighter scrutiny of their security standards, customer notification processes and data access governance.
