"Veteran investigators deployed... Rapid investigation to ease public concern"
Penalty may reach up to 3% of annual revenue... Final amount to be determined after investigation
The Personal Information Protection Commission (PIPC) has announced its intention to hold SK Telecom (SKT) strictly accountable for the recent hacking incident involving USIM information. The PIPC began its investigation immediately after receiving a report from SKT.
On April 29, Choi Janghyuk, Vice Chairperson of the PIPC, stated during a regular press briefing held at the Seoul Government Complex in Jongno-gu, Seoul, "We intend to hold both global and domestic companies strictly accountable for large-scale personal information leaks."
According to the PIPC, the commission launched its investigation immediately after receiving a personal information leak report from SKT at 10 a.m. on April 22. The commission explained that it is unusual to begin an investigation on the same day the report is received. Vice Chairperson Choi said, "We have deployed veteran investigators, including in-house legal counsel, to the investigation and have also formed a task force with external experts," adding, "We will complete the investigation as quickly as possible to alleviate public concern."
The PIPC is currently investigating the scope of the personal information leaked in this incident and the security of SKT's servers. Choi explained, "We are currently focusing on the personal information contained in the leaked USIM data and the security measures of the main server that stores the USIM information."
There were also remarks that the severity of the SKT incident is greater than previous personal information leaks at other mobile carriers. As a result, the scale of the penalty is also expected to be larger than in past cases. Vice Chairperson Choi stated, "This incident is on a different level from the LG Uplus leak," explaining, "SKT's main server was hacked, whereas LG Uplus's value-added service server was hacked. At that time, it was before the amendment of the Personal Information Protection Act, so the criteria for calculating penalties were also different."
In January 2023, LG Uplus suffered a hacking attack that resulted in the leak of approximately 300,000 customer records. Subsequently, the PIPC imposed a penalty of 6.8 billion won and a fine of 27 million won on LG Uplus. At that time, the Personal Information Protection Act allowed for penalties of up to 3% of the relevant business revenue, but following a legal amendment, penalties can now be imposed up to 3% of total revenue.
However, it appears that it will take some time to determine the specific amount of the penalty, depending on the investigation. Vice Chairperson Choi said, "Revenue unrelated to the leak incident will be excluded from the penalty calculation, and there are some mitigating factors, such as cooperation with the investigation," adding, "It is too early to estimate the penalty at this stage."
Regarding the main factor in penalty calculation, which is the implementation of security measures, there was also a comment questioning whether SKT's actions were insufficient. Vice Chairperson Choi stated, "The fact that the main server of the country's leading telecommunications company was hacked is symbolic," adding, "Although it appears that the measures taken were insufficient, this needs to be confirmed through the investigation."
The commission is also checking whether the USIM subscriber information leaked through the hacking has been exposed on the dark web (a closed web accessible only through specific programs). Lee Jungeun, Director of the PIPC's Investigation Division 2, explained, "Together with the Korea Internet & Security Agency, we are monitoring the dark web and have established a process for reporting and notifying if personal information leaks are confirmed," adding, "So far, data related to the SKT leak has not appeared on the dark web."
Meanwhile, regarding the resumption of download services for the Chinese generative AI service 'DeepSeek' on domestic app markets the previous day, Vice Chairperson Choi said, "We plan to check within 90 days whether DeepSeek has implemented corrective measures," adding, "We have received confirmation that information of domestic users transferred to DeepSeek before the privacy policy revision has been deleted."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
