[Q&A] Koh Haksoo: "SKT Maintained Overall Lax Security... USIM Information Is Personal Data"

The Personal Information Protection Commission has imposed a record-high fine of 134.8 billion KRW on SK Telecom for the alleged leak of information caused by a hacking incident. On August 28, Privacy Commissioner Koh Haksoo held a briefing and stated, "Overall, the company maintained a lax security posture for quite a long period. There were several opportunities to take corrective action, but those were missed."

He emphasized that 'USIM information' on mobile phones, which serve as a daily communication channel, constitutes extremely critical personal data. He noted that representatives from SK Telecom attended the commission's plenary meeting the previous day to explain the company's position and answer questions. Commissioner Koh also pointed out that the limited role of SK Telecom's Chief Privacy Officer (CPO) contributed to the incident. He announced plans to unveil a comprehensive policy next month to encourage large-scale personal information handlers, such as telecom companies, to expand investments in personal information protection and security.

Privacy Commissioner Koh Haksoo announced sanctions regarding the SK Telecom personal information leak incident at the Government Complex Seoul in Jongno-gu, Seoul on the 28th. The Personal Information Protection Commission imposed a fine of 134.791 billion KRW and a penalty of 9.6 million KRW on the same day. 2025.8.28 Photo by Jo Yongjun

The following is a Q&A with Commissioner Koh.

-How was the amount of the fine determined? Please explain the specific process and background.

▲Revenue unrelated to the leak was excluded from the company’s total sales. For example, since this case involved individual customers using LTE and 5G networks, revenue from corporate customers was not considered. According to the fine guidelines, a base amount was set, and then the seriousness of the violation was assessed. Afterward, the amount was adjusted through first and second rounds of aggravation and mitigation, resulting in the final figure.

The seriousness of the case was classified as "very serious." The violation period exceeded three years, which led to an aggravation. However, since the company did not gain direct economic benefit, this was considered as a mitigating factor. Efforts made by the company to compensate victims were also taken into account for mitigation.

-What direction is being taken regarding improvements to the personal information protection system, including the role of the CPO?

▲After this incident, the company newly appointed or recruited both a CPO and a Chief Information Security Officer (CISO), and reorganized its internal structure. This process is not yet complete, and the company is continuing to review and consider further measures. Preventing similar issues in the future is a key concern for the company.

In SK Telecom's case, although the CPO could oversee network infrastructure, in reality, the scope of responsibility had become very limited. The company and the commission will continue to discuss how to establish a system that can efficiently oversee the entire network. The establishment of a governance framework is still in progress.

-What opinions did SK Telecom present at the plenary meeting yesterday?

▲The company attended and provided a very detailed explanation. They addressed the specific issues we raised and explained, in broader terms, how they plan to make improvements going forward. Previously, their position was that they had done everything reasonably possible, but yesterday they acknowledged that there were indeed problems and expressed regret and apologies. The company's explanation was somewhat different from before.

They explained in various ways that they will communicate much more proactively with the commission and do their utmost to prevent future problems. The commissioners asked questions about points of curiosity, listened to the company's explanations, and engaged in a Q&A session. Compared to other cases, significantly more time was devoted to this discussion. The meeting continued past dinner time, with discussions taking place over kimbap.

-Compared to the fine imposed on Google in 2022, was it easier to determine causality in this case?

▲Within the commission, we broadly distinguish between breach incidents and leak incidents. This case falls under the leak incident category. In cases where hackers infiltrate and extract information, if the investigation is conducted soon after the incident, there tends to be relatively abundant data, such as company logs, access records, and network status, making it easier to understand the situation quickly.

Cases involving companies like Google and Meta are classified as breach incidents. These are not situations where hackers or unauthorized individuals illegally infiltrate and extract information. Each breach incident requires a different type of assessment and analysis. Therefore, in the cases of Google and Meta, it took much longer to analyze, organize, and discuss the essence of the incident.

-Did you determine that this incident caused significant harm to the public? Was USIM information considered personal information?

▲Yes. The commissioners concluded that the company maintained a generally lax security posture for quite a long period. The company was in a very vulnerable state overall, and there were several opportunities to take corrective action, but these were missed. This left the commissioners feeling frustrated. SK Telecom is a carrier used by about half of the country's population, and the USIM information on mobile phones, which are a daily communication channel, is the fundamental starting point from an engineering perspective.

Because information that is most essential for an individual to communicate externally was leaked, it was naturally regarded as personal information, and there was never any internal doubt about this classification.

-What is the likelihood that SK Telecom will file an administrative lawsuit?

▲It is not possible to predict at this moment whether the company will proceed with litigation. During the sanction process, a task force was formed for the investigation, and, given the scale of our organization, an unusually large number of personnel were assigned to the task force. Not only investigation experts, but also legal and accounting experts were involved.

-What will be included in the comprehensive plan for managing the personal information safety system?

▲Next month, we plan to announce a comprehensive policy to strengthen the personal information safety management system. This will include measures to encourage large-scale personal information handlers to expand investments in personal information protection and security, as well as a reorganization of the incentive system.

In many cases, personal information managers have not been given significant roles within their organizations, and in some situations, they have been left to shoulder responsibility alone during crises. We are preparing measures to ensure that they are granted appropriate authority and can secure organizational resources and budgets commensurate with their responsibilities. We are currently refining these plans in consultation with external parties and will finalize and announce them soon.

The main policy direction is to enable those working in the field to have a sense of responsibility and mission, to proactively consider and address risk factors, and to determine how best to provide incentives. That is the framework we are considering.

-Seven out of nine total commissioners attended the meeting yesterday. Why were two absent?

▲Seven commissioners participated because two recused themselves. The two recused themselves after judging that their participation could potentially compromise the fairness of the decision.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.