Personal Information Protection Commission Chair Expresses Regret Over SKT Data Breach Notification
"Evidence Shows Data Passed Through Singapore"
"Secondary Damages Can Occur in Many Forms, Even Without Cloned Phones"
On May 21, Haksoo Ko, Chairperson of the Personal Information Protection Commission, stated, "From our perspective, the SK Telecom (personal information leakage) case is unprecedented in scale," adding, "The damage has already been enormous, and the company failed to prevent it."
Ko made these remarks while speaking with reporters at the Personal Information Policy Forum, co-hosted by the Personal Information Protection Commission and the Korea CPO (Chief Privacy Officer) Association, held at the Bankers Club in Jung-gu, Seoul on the same day.
The Personal Information Protection Commission formed a task force (TF) and launched an investigation, considering the seriousness of the matter, starting from April 22, when the leak was reported by SKT. Ko explained, "We are conducting an independent and rigorous investigation, separate from the joint public-private investigative team. The commission and related agencies are focusing all available resources to ensure a swift investigation."
He emphasized, "The entire dataset of 25 million customers stored on SKT's Home Subscriber Server (HSS) was hacked. The incident was reported to the commission on April 22, and from that day, we have proceeded on the clear assumption that personal information was leaked." In addition to the previously reported HSS hacking, the commission is also analyzing data from the Integrated Customer System (ICAS) server, where additional malware was recently discovered.
When asked whether the hacked personal information from SKT had been leaked on the dark web, Ko responded, "Nothing has been found yet," but added, "There are difficulties in monitoring."
Regarding the perpetrators behind the hacking, he stated, "In many hacking incidents, it is far more difficult to identify the exact cause or those responsible. There is evidence that the data moved from the HSS through Singapore, but it is difficult to determine who controlled the Singapore IP address," noting that international cooperation and additional time are required for the investigation.
Executives including SK Telecom CEO Yoo Sangyoung (third from left) are bowing in apology during a daily briefing on USIM information leakage held at SKT Tower in Jung-gu, Seoul. Photo by Yonhap News
Ko also expressed strong regret regarding SKT's process of notifying individual users about the information leak. He said, "The commission decided on May 2 that SKT should notify users, and the notification was sent on May 9, but there is much to regret. The delay in notification was problematic, and the content of the notification, which stated that 'the possibility of leakage would be communicated later,' did not meet the legal requirements."
He continued, "We determined that the notification was inadequate and belatedly done in a poor manner. That in itself is a problem," adding, "We sent an official letter to SKT indicating that their notification was insufficient."
He further stated, "Of course, we must monitor and strive to minimize secondary damages, but enormous damage has already occurred. It is wrong to say that real damage only happens if there are secondary damages. Even without cloned phones, secondary damages can take many forms," expressing concern.
Earlier, in his opening remarks at the forum, he emphasized, "The SKT personal information leakage incident is a very serious event that threatens public trust in the era of digital transformation and deepening artificial intelligence (AI). We will impose strong sanctions for any legal violations."
He urged, "With SKT's personal information leakage affecting approximately 25 million subscribers, public concern is extremely high. This incident should serve as an opportunity for both the public and private sectors to strengthen the overall personal information safety management system in our society."
The Personal Information Protection Commission formed a TF and launched an investigation considering the seriousness of the matter, starting from April 22, when the leak was reported by SKT. On May 2, the commission held an emergency plenary meeting and decided that SKT should notify individual users about the leakage.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
