"Confirmed Lack of Antivirus in Key Systems... Inadequate Measures"
"Comprehensive Investigation Underway into SKT's Personal Information Processing Systems"
SK Telecom (SKT), which recently experienced a USIM information leak incident, will notify all users of the personal information breach by May 9.
The Personal Information Protection Commission announced on May 8 that SKT had reported its plan to send the first round of breach notifications to all 25.64 million users, including MVNO (budget phone) subscribers, based on information confirmed as of April 18, by May 9.
Personal Information Protection Commission logo. Provided by Personal Information Protection Commission
Previously, on May 2, the Personal Information Protection Commission held an emergency plenary meeting and resolved that SKT must individually notify all users of the breach. At that time, SKT only posted a general notice on its website stating that "some customer information is presumed to have been leaked." The text message sent by SKT to all users included only an apology for the incident, information about the USIM protection service, and instructions for USIM replacement.
According to the Personal Information Protection Act, when notifying users of a personal information breach, the notice must include: ▲ the items of personal information leaked ▲ the timing and circumstances of the leak ▲ methods to minimize damage ▲ the data handler's response measures and compensation procedures ▲ the department and contact information for damage reports.
As of now, the types of personal information confirmed to have been leaked in this incident include a total of 25 items, such as: ▲ users' mobile phone numbers stored in the Home Subscriber System (HSS) ▲ International Mobile Subscriber Identity (IMSI) ▲ USIM authentication keys ▲ other USIM-related information.
Additionally, the Personal Information Protection Commission is conducting a comprehensive investigation into each individual system within SKT that handles personal information. The Commission confirmed that key systems involved in the leak did not have security programs (antivirus) installed to prevent malware. The Commission judged that this indicates a lack of basic technical and administrative measures related to personal information protection.
Accordingly, the Personal Information Protection Commission is conducting a thorough investigation into compliance with safety measures for major personal information processing systems, including not only the HSS (related to voice calls) and WCDR (related to billing) servers where the breach occurred, but also the mobile phone activation system, authentication system, and billing system.
A Commission official explained, "We are meticulously reviewing the effectiveness of the emergency recurrence prevention measures implemented after the incident to ensure the prevention of further personal information leakage damage."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
