A data breach involving USIM (Universal Subscriber Identity Module) information has occurred at SK Telecom, the largest mobile carrier in South Korea, and it has been revealed that the servers storing this information had been left unattended in a 'management blind spot.'
According to materials submitted by the office of Choi Minhee, a lawmaker from the Democratic Party of Korea, to the Ministry of Science and ICT on April 28, the SKT servers recently affected by hacking had not been designated as 'critical information and communications infrastructure that requires national and social protection' under current law. It has been reported that the Home Subscriber Server (HSS), subscriber authentication key storage systems, and core servers related to USIM were compromised.
As a result, servers storing key subscriber information were excluded from direct government inspections or technical diagnostics. In fact, the servers targeted in this hacking incident had not undergone any government-led technical inspections or penetration tests over the past three years. SKT had only participated in crisis response drills, such as those for phishing emails and DDoS attacks.
The reason SKT's core servers were not designated as critical information and communications infrastructure is due to the delegation of detailed designation to the private sector. The government, under the Act on the Protection of Information and Communications Infrastructure, designates national core facilities in sectors such as telecommunications, finance, and energy as critical information and communications infrastructure and inspects the implementation of protection measures by management agencies. However, the scope of detailed designation is determined by the private sector, and the government can only review the validity and make adjustments if necessary. Choi Minhee pointed out that this structure effectively leaves such matters to private sector discretion.
Choi Minhee stated, "Although SKT's core servers are a national foundation for protecting citizens' information and communications security, they were not even designated as critical information and communications infrastructure due to loopholes in the system," and added, "The designation and management system for such infrastructure must be thoroughly re-examined immediately, and practical protection measures must be established."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
