"SKT Failed to Fulfill Duty of Care"
"Did Not Comply With Relevant Laws"
Regarding the SK Telecom USIM information leak incident, the government has determined that SKT should be exempt from penalty charges.
The joint government-private investigation team, led by the Ministry of Science and ICT, announced the final results of the SKT breach investigation at the Government Complex Seoul on July 4, stating, "Given that SKT's negligence was identified in this leak incident and that the company failed to fulfill its primary contractual obligations, we believe the penalty exemption provision can be applied in this case."
The investigation team concluded that SKT was negligent in the USIM information leak incident. The reasons cited were that SKT failed to fulfill its duty of care to protect USIM information and did not comply with relevant laws and regulations. Specifically, the Ministry of Science and ICT explained that issues such as poor account information management, inadequate response to past breaches, and insufficient encryption measures for critical information were identified. During this process, it was also confirmed that SKT delayed reporting the information leak, thereby violating the Information and Communications Network Act.
The investigation team also determined that SKT failed to fulfill its obligation as a service provider to protect USIM information and provide secure communication services. According to the Information and Communications Network Act, telecommunications operators are required to provide secure communication services, which is a key element in contracts with users. At the onset of this incident, only 50,000 subscribers were enrolled in the USIM protection service, and the Fraud Detection System (FDS) 1.0 had limitations in blocking all possibilities of USIM cloning.
As the investigation was concluding, the Ministry of Science and ICT sought additional legal advice from five advisory organizations. Four of these organizations concluded that the breach was due to SKT's negligence.
However, the Ministry of Science and ICT emphasized that this decision is limited to the SKT breach incident. The intent is that not all cyber breaches are subject to penalty exemption under the terms and conditions.
The initial point at which the hacker planted malware on SKT's internal server was identified as August 6, 2021. While the interim investigation had pointed to June 2022 as the initial infection, it was actually about 10 months earlier.
After accessing a server within the system management network connected to the external internet, the hacker installed malware with remote control and backdoor functions to infiltrate other servers. At that time, account information such as IDs and passwords for managing other servers was stored in plain text, unencrypted, on the attacked server, which led to the incident.
Having easily obtained information to access core servers, the hacker infiltrated the telecom operator's core network, specifically the Home Subscriber Server (HSS) for voice call authentication, in December of the same year, and planted a type of malware called BPFDoor to begin controlling the server.
The malware planted by the hacker on SKT's internal servers included 33 types in total, with 27 types belonging to the BPFDoor family. There were also three types of TinyShell, one web shell, and one each of open-source malware CrossC2 and Sliver. On April 18, the hacker exfiltrated 9.82GB of USIM information stored on three HSS servers. The investigation team stated that this amount corresponded to the USIM information of all subscribers.
The investigation team recommended several measures to SKT to prevent recurrence, including the application of EDR solutions and antivirus software to detect and analyze all activities on network-connected devices such as servers, conducting regular security vulnerability checks on all assets at least once every quarter, and elevating the CISO to a direct-reporting organization to the CEO.
Minister of Science and ICT Lee Jongho stated, "This SKT breach incident was a wake-up call not only for the domestic telecommunications industry but also for information security across the entire network infrastructure," and added, "As the leading mobile carrier in Korea with significant impact on the public, SKT must thoroughly address the vulnerabilities identified in this incident and prioritize information security as the top management priority going forward."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
