Despite Police Notification of Unauthorized Small Payments,
KT Responded, "Such an Incident Is Impossible"
Denied "No Personal Data Leak," Then Reversed Position Within a Day
Delayed Blocking Measures and Customer Notification Worsened the Damage
While KT was slow to respond to a new hacking method involving illegal miniature base stations (femtocells), concerns have grown that not only International Mobile Subscriber Identity (IMSI) information but also additional personal data may have been leaked, further intensifying the controversy. KT initially dismissed the possibility of hacking, attributing the issue to customer error, but later reversed its stance and belatedly confirmed signs of a personal data breach. Critics point out that delayed blocking measures and late notification to customers contributed to the spread of damage.
The police notified KT of unauthorized small payment fraud on September 1, but at the time, KT reportedly responded by saying, "That kind of incident is impossible." Even as late as September 10, KT maintained, "There is no indication of personal information leakage," but on September 11, the company changed its position, stating, "There is a possibility that 5,561 IMSI records were leaked externally." As damage reports accumulated, KT belatedly acknowledged that this was not a simple smishing incident but a hacking case.
KT's response continued to be delayed. Even after the damage reports were received on August 27 and the police notification on September 1, there were no immediate blocking measures. Abnormal payment patterns were not blocked until September 5. Notification to affected customers was also inadequate. Instead of sending text alerts, KT only posted a notice on its website, meaning customers had to check their own payment records to discover the incident.
This incident occurred because a femtocell not registered on the KT network was able to connect without being detected. KT only identified the existence of the fake base station on September 8 during an analysis of the victim's call records. Experts criticized the company, stating, "While this was not a core network breach, the failure to filter out unauthorized base stations indicates poor management."
KT belatedly held a press conference on September 11, bowing and stating, "We sincerely apologize for not responding quickly in various aspects." The company announced that it would provide free USIM card replacements for a total of 19,000 people, including 5,561 whose IMSI may have been leaked and all those with records of illegal base station connections. KT also pledged to fully reimburse the 278 cases of unauthorized small payments (about 170 million won). Regarding penalty waivers, the company said, "We will proactively review including this in our compensation plan."
KT explained that the problematic femtocell was likely a device that had previously been registered on its network. It is suspected that the device was not discarded during the replacement process, was leaked externally, and then exploited in the crime. The illegal femtocell ID used in this incident also followed KT's own device identification system.
So far, the only information KT has admitted was leaked is IMSI. However, since small payments cannot be processed with IMSI alone, whether additional data was leaked has become a key issue in the investigation. In reality, mobile small payments require the entry of the name, phone number, and date of birth, followed by authentication via an automated response call (ARS). Victims testified that, mostly during early morning hours, ARS authentication was conducted without their knowledge, resulting in losses such as gift card purchases, transportation card recharges, and in-game currency purchases. Koo Jaehyung, head of KT's Network Technology Division, stated, "Connecting to an illegal base station does not allow someone to extract a date of birth," adding, "These questions will only be resolved once the perpetrator is identified."
However, security experts warn of the possibility of a more serious personal information breach. Professor Yeom Heungyeol of Soonchunhyang University said, "If a femtocell is illegally connected to the network, attackers can even view text messages and call content," adding, "It appears that the attacker in this case used the femtocell in a highly sophisticated manner."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
