T-Mobile and AT&T Fined Billions for Data Breaches
Kakao's 15.1 Billion Won Fine Is the Largest for Personal Data Leaks in Korea
As legal action in response to the SK Telecom USIM information leak incident is gaining momentum, compensation cases involving major U.S. telecommunications companies that have experienced large-scale customer data breaches in the past are drawing attention.
According to the legal community on May 1, the Lawpid Law Office submitted an application for a payment order to the Seoul Central District Court on April 30, demanding 500,000 won in damages per person from SK Telecom.
Other law firms, including the class-action specialist network law firm Lawjipsa, are also taking on cases to claim damages for individuals affected by the SK Telecom personal information leak. On April 29, the law firm Daeryun formalized the procedure for a "SKT Personal Information Leak Victims Class Action," and on May 1, officially filed a criminal complaint and accusation against SK Telecom with the Namdaemun Police Station in Seoul.
Meanwhile, compensation cases involving major U.S. telecommunications companies that have experienced large-scale customer data breaches in the past are being revisited. Since the 2020s, major U.S. telecom companies that have experienced customer data breaches include T-Mobile and AT&T.
T-Mobile, one of the three largest mobile carriers in the United States, caused a stir in 2021 when credit inquiry data containing the names, dates of birth, social security numbers, and driver's license numbers of more than 76.6 million current, former, and potential customers was leaked. Of these, 850,000 customers had their account PINs exposed, prompting the company to forcibly reset those accounts.
T-Mobile notified all customers of the breach via email and text message and decided to provide McAfee's security services free of charge for two years to all customers, regardless of whether they were affected. However, consumers filed lawsuits against T-Mobile, and the company agreed to pay $350 million (approximately 459 billion won) in compensation. As a result, T-Mobile customers received up to $25,000 (about 32 million won) per person in compensation.
AT&T, the largest U.S. telecom company by market share, has also been involved in several customer data breach incidents. In 2023, customer proprietary network information (CPNI) containing the names, wireless phone numbers, number of lines, call volumes, and plan details of 8.9 million customers was leaked from a third-party marketing firm's cloud storage. In response, AT&T paid a $13 million (about 1.7 billion won) fine to the U.S. Federal Communications Commission (FCC).
The following year, it was revealed that the call and text records of approximately 109 million customers had been hacked. The scale of the breach included all customer call and text records generated between May and October 2022. At that time, AT&T negotiated with the hackers and paid $370,000 (about 550 million won) for the data to be deleted. In March of last year, AT&T also disclosed that about 7.6 million current account users and about 65.4 million former customers had their personal data leaked onto the dark web. As a result of these incidents, AT&T is under investigation by the FCC and is facing more than 20 individual and class action lawsuits in various states across the United States.
In contrast, in South Korea, the scale of fines imposed for large-scale personal information leaks is relatively small, leading to calls for stronger punitive measures. In July 2023, the Personal Information Protection Commission imposed a fine of 6.8 billion won on LG Uplus for leaking about 300,000 customer records due to a hacking attack. Kakao was fined 15.1 billion won last year in connection with the leak of 65,000 user records due to a security vulnerability in the KakaoTalk Open Chatting feature. This is the highest amount of fine ever imposed on a company for a personal information leak in Korea.
Amid these developments, attention is focused on the scale of the fine that will be imposed on SK Telecom. At a regular briefing on April 29, Choi Janghyuk, Vice Chairperson of the Personal Information Protection Commission, suggested the possibility of a much higher fine, stating, "Basically, the situation is on a completely different level compared to the LG Uplus (personal information leak) case." The Personal Information Protection Act, revised in September 2023, adjusted the maximum fine to "3% of total sales," excluding sales unrelated to the violation. Considering SK Telecom's annual sales last year (17.9406 trillion won), a simple calculation suggests that the company could face a fine exceeding 500 billion won.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
