[Q&A] "Possibility of IMSI Leak for 5,561 KT Customers...USIM Replacement Underway"

KT has confirmed signs of customer information leakage through illegal micro base stations in connection with recent microtransaction fraud incidents. Investigations have found that the International Mobile Subscriber Identity (IMSI) of a total of 5,561 customers may have been leaked externally as a result of this incident. KT is proceeding with Universal Subscriber Identity Module (USIM) replacements for customers whose IMSI may have been compromised, and also plans to prepare compensation measures in the future.

On the afternoon of September 11, KT held a press conference on unauthorized microtransactions at its headquarters in Jongno-gu, Seoul, and disclosed these findings. The following is a Q&A session with KT officials, including Hwang Taeseon, Head of Information Security, and Koo Jaehyung, Head of Network Technology.

The scene of the press conference on unauthorized microtransactions held by KT on the afternoon of the 11th at the headquarters in Jongno-gu, Seoul. Photo by KT

- It is difficult to suffer microtransaction fraud solely from an IMSI leak. Is there any indication of other data being leaked? What is the basis for your confidence that there are no cloned phones?

▲ The IMSI can be seen as a kind of "message" sent for the purpose of illegal base station location registration. Since there has been no hacking history with the Home Subscriber Server (HSS), device identifiers (IMEI) or authentication keys required for illegal cloning have not been exposed.

Microtransactions require the user to enter personal information such as their date of birth, followed by ARS authentication. In this incident, there is no indication that information other than the IMSI was leaked. This is a matter that should be clarified through further investigation by relevant authorities and the police.

- Some have raised the possibility that illegal micro base stations may have been installed inside KT. Has the existence of these micro base stations been confirmed?

▲ There is no evidence that they were inside KT. It can be inferred that the perpetrator has considerable knowledge of telecommunications, but whether the person is an insider has not yet been confirmed. We have not actually seen the physical micro base stations; rather, we inferred their existence by identifying base station IDs in the billing records of customers affected by microtransaction fraud and blocking them accordingly.

- Why did KT not notify customers through its website or text messages, even though the company was informed by the police on September 1? There are claims that the investigative agency received a response from KT suggesting that such incidents could not occur. Is this true?

▲ Even when notified by investigative agencies, personal information is not typically handed over, so we analyze the issue through VOCs (Voice of Customers) received at the customer center. We should have been more vigilant given the large number of cases, but although it was unusual, we initially identified it as a smishing case. As reports accumulated and the situation became more serious, we implemented provisional restrictions on September 5. We sincerely apologize for causing concern by not responding even more quickly.

- Is there a possibility that someone accessed KT's internal network for criminal purposes and stole information?

▲ We are investigating whether there is any indication of criminal infiltration into the network. KT's internal team and experts from the Korea Internet & Security Agency (KISA) are jointly conducting inspections.

- Are there plans to waive penalties for customers who wish to switch carriers?

▲ We will consider this as part of our compensation plan and will review it proactively from the customer's perspective.

- The fact that illegal micro base stations were not detected raises questions about how the network is managed. How is network management conducted?

▲ We suspect that the devices connected to the KT network in some way. When we searched the IDs of the equipment accessed by affected customers, they were not found in KT's management system. We then conducted a full survey of all micro base stations. We suspect that the illegal base stations are devices that had previously been connected to the KT network.

- What is the current inventory of USIM cards for replacement? Can affected customers have their USIMs replaced immediately?

▲ We have sufficient USIM inventory for the 19,000 people who have records of connecting to illegal base stations. Those who wish to replace their USIMs can do so through a visit to KT Plaza, delivery service, or on-site replacement. We currently have over 1 million USIM cards in stock.

- In July, KT announced plans to invest about 1 trillion won over five years to strengthen security. Are there plans to increase this investment in light of the current incident?

▲ We will consider this further. The amount of 1 trillion won over five years is already a significant sum, and such large-scale investments are not implemented immediately. We view this as a long-term effort to strengthen our security framework and will adjust investment priorities in light of this incident.

- Did last year's restructuring and organizational changes have any impact on this incident?

▲ Last year, there were about 210 security personnel based on internal staffing. About 20 security staff members were included in the voluntary retirement program. These individuals were responsible for compliance, and there were almost no technical security engineers among them. We do not believe the number of retirees is connected to this incident.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.