Results of Over a Year’s Worth of Data Investigation
Six Additional Small Payment Victims Identified in Anyang and Other Areas
Cumulative Damages Reach Approximately 243 Million Won
On October 17, KT held a second briefing at its Gwanghwamun West office in Seoul regarding the small payment hacking incident and officially announced the results of a comprehensive investigation covering one year and two months of data. The number of illegal femtocell (miniature base station) IDs confirmed increased from four to a total of 20, with 16 additional IDs identified. The number of additional victims was six, bringing the total to 368, and the total amount of damages increased by 3.19 million won to a cumulative sum of approximately 243 million won. However, the actual channel through which personal information such as dates of birth, required for payment, was leaked remains unknown.
KT stated that it conducted a thorough analysis of 1.5 billion telecommunications payment agency transactions and over 4 trillion connection logs between mobile phones and base stations that occurred from August 1, 2024, to September 10, 2025. This included 84 million small payment transactions and 63 million DCB (Direct Carrier Billing, in-app purchases charged to phone bills) transactions. KT explained, "We cross-verified the access history of illegal femtocell IDs with all payment data to extract abnormal transactions."
Of the 16 newly identified illegal femtocell IDs, suspicious unauthorized small payment activity was detected with only one ID. Protective measures are currently being implemented for the newly identified affected customers, and supplementary reports have been filed with relevant authorities such as the Personal Information Protection Commission. KT reiterated, "The time of damage occurrence remains August 5, as previously reported, and since the blocking measures implemented on September 5, there have been no new cases of damage."
The affected customers were found to be concentrated in the Seoul metropolitan area, including Seoul, Gyeonggi, and Incheon, with new payment damages occurring in Anyang City. The total number of customers who accessed illegal femtocells increased by approximately 2,200 to about 22,200.
KT analyzed around 4 trillion base station connection records to identify abnormal cells operating intermittently or irregularly. According to KT, normal femtocells operate consistently over long periods, while illegal devices exhibit frequent connection fluctuations and a higher frequency of error messages. Lee Sejeong, Chief Digital Officer (Executive Vice President) of KT's Technology Innovation Division, explained, "The increase in illegal femtocell IDs is the result of an extended investigation period and more sophisticated detection logic," adding, "We merged all payment and connection data held by KT to investigate every possible area."
During the Q&A session at the briefing, when asked about the possibility of additional damages, KT stated that based on the current data, no further cases have been identified. However, the company noted that it is impossible to analyze data from before August last year due to data retention limitations. Regarding the police's statement that it would be difficult to operate 20 IDs with a single device, KT commented, "The existence of additional equipment is under investigation," declining to elaborate further.
Concerning the recent request for investigation by the Ministry of Science and ICT regarding suspicions of "server disposal," KT clarified, "We disposed of servers with no evidence of intrusion, and there was no intentional cover-up," adding, "We immediately submitted the stored backup data to the police."
The route of the personal information leak remains unknown. KT stated, "We are currently working with a joint public-private investigation team to determine where the basic information required for payments, such as names and dates of birth, was leaked," and added, "It is our current assessment that it is not possible to obtain key personal information using only illegal base stations."
KT announced, "We have fundamentally revamped the network linkage structure to prevent illegal devices from connecting to the network," and added, "We will fully implement illegal pattern detection and blocking logic within this month, and verification will be conducted by the joint public-private investigation team."
Kim Younggeol, Head of Service Product Division (Executive Vice President), stated, "All 20,030 customers suspected of being affected are covered by the 'Safety Assurance Insurance,' and the newly identified victims will receive the same benefits." More than 2,000 offline stores nationwide have deployed professional counselors to provide related services, including malicious app removal and phishing insurance enrollment.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
