Conclusion of 'Company At Fault' After Consulting Five Law Firms
Possibility of Retroactive Application for Customers Who Terminated After April 18
The government has determined that the recent USIM hacking incident involving SK Telecom constitutes a reason attributable to the company that warrants exemption from penalty fees. This means that SK Telecom cannot impose penalty fees on subscribers who switch to other carriers. The government also officially stated that if SK Telecom refuses to comply, it may consider measures under the Telecommunications Business Act, including corrective orders and cancellation of registration.
On July 4, Ryu Jemyung, Second Vice Minister of Science and ICT, held a briefing at the Government Complex Seoul to announce the final results of the joint public-private investigation into the SK Telecom hacking incident. He stated, "SK Telecom failed to fulfill its duty of care to protect USIM information and violated relevant laws, including the Act on Promotion of Information and Communications Network Utilization and Information Protection. Therefore, we have concluded that this falls under the grounds for penalty fee exemption as stipulated in Article 43, Paragraph 1 of the terms of service."
Article 43 of SK Telecom's terms specifies that "if the contract is terminated for reasons attributable to the company, penalty fees are exempted." The government sought legal advice from a total of five law firms to reach this decision, and four of them concluded that there was indeed a reason attributable to the company.
Government: "Clear Breach of Contractual Obligations"
The Ministry of Science and ICT identified three main reasons for attributing fault to SK Telecom: poor security management, such as storing administrator account information in plain text; failure to report and insufficient analysis of a similar security breach that occurred in 2022; and failure to encrypt critical information such as USIM authentication keys (Ki).
Vice Minister Ryu stated, "SK Telecom managed multiple account credentials in plain text on its servers, and these credentials were exploited by attackers. This level of security falls short not only of the standards set by relevant laws but also of the duty of care generally expected of service providers." He further explained, "The Global System for Mobile Communications Association (GSMA) recommends encryption of USIM keys (Ki), and other domestic carriers have implemented this, but SK Telecom alone managed them in unencrypted form."
In addition, the fact that SK Telecom failed to report the similar breach in 2022 to the government and handled it internally was highlighted as a serious issue. Vice Minister Ryu said, "There were signs of malware infection at that time, but only a partial analysis of log records was conducted, causing them to miss a significant security risk."
To support its decision legally, the government sought opinions from five law firms. Four of them concluded that SK Telecom's actions constituted a reason for penalty fee exemption, based on the investigation results. One firm reserved its opinion, stating that additional information was needed for a final judgment.
Vice Minister Ryu emphasized, however, that this decision is not a generalized interpretation but is based on the specific circumstances of this incident. He explained, "This is a case where the trust foundation of the contract was broken due to the leakage of USIM information in a situation where protective measures were inadequate." He added that even in similar incidents, the decision regarding penalty fee exemption may differ depending on the circumstances.
Possibility of Retroactive Application of Penalty Fee Exemption... "Government to Strengthen Information Security Management"
The Ministry of Science and ICT has determined that penalty fee exemption can be applied retroactively based on the date of the USIM information leak, which was April 18. In other words, customers who terminated their contracts after the leak, such as through number portability, may be eligible for retroactive refunds. Vice Minister Ryu said, "I expect that SK Telecom will define and present the specific scope for the remaining customers."
He also stated, "The government explained its official position to SK Telecom this morning, so the company is likely reviewing it internally. If SK Telecom refuses to exempt penalty fees, the government can issue a corrective order under Article 92 of the Telecommunications Business Act. If the company does not comply, cancellation of registration under Article 20 may also be considered."
The government plans to use this incident as an opportunity to review the overall information security system and pursue institutional improvements. Vice Minister Ryu said, "We are discussing various improvement measures, including legal revisions and increased investment, with the task force within the National Assembly's Science, ICT, Broadcasting and Communications Committee. We will work with the National Assembly to promptly establish institutional safeguards."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
