Republic of Korea: Personal Information Protection Commission imposed a KRW 134.791 billion fine and penalty of KRW 9.6 million on SK Telecom for violations of safety measures and data breach notification requirements

On 27 August 2025, the Personal Information Protection Commission adopted a decision to impose a fine of KRW 134.791 billion and a penalty of KRW 9.6 million on SK Telecom for violating the Personal Information Protection Act. The sanctions were imposed due to the leak of sensitive digital personal information, including subscriber identification numbers and SIM authentication keys, affecting approximately 23 million mobile communication service users. The investigation found that SK Telecom had failed to implement adequate security measures, such as proper firewall configurations, secure server account management, encryption of SIM authentication keys, and timely security updates. These shortcomings enabled hackers to access and extract personal data. The commission further determined that SK Telecom had not complied with the legal requirement to notify affected users within 72 hours of the breach, which led to public confusion. The decision also issued a corrective order requiring SK Telecom to strengthen its security measures, establish a company-wide personal information governance system, ensure the effective role of the Chief Privacy Officer, and extend its Personal Information Protection Management System (ISMS-P) certification to its telecommunications and mobile communication network systems.