SEOUL, South Korea – SK Telecom, one of South Korea's largest mobile carriers, has agreed to waive contract termination fees for customers affected by a massive data breach, a decision prompted by a government investigation that found significant negligence on the company's part. The hack, which began as early as 2021, led to the exposure of 26.96 million subscriber identification numbers (IMSI) and a total of 9.82 gigabytes of personal information – essentially, the SIM card details of all its subscribers – in April of this year.

The Ministry of Science and ICT (MSIT) announced on July 4th the final results of a joint public-private investigative team, unequivocally placing responsibility for the incident on SK Telecom. The ministry stated that the company failed in its fundamental duty to provide secure telecommunication services to its users and therefore must apply contract termination fee exemptions.

A Breach Years in the Making 

The investigation revealed a troubling timeline: malicious code was first installed on SK Telecom's servers in August 2021. The company detected abnormal reboots on a specific server and identified infected servers in February 2022. Despite this discovery, SK Telecom failed to report the breach to authorities for three years, attempting to handle the situation internally. This delay is seen as a critical factor in the escalating scale of the information leak.

The investigative team conducted a thorough examination of 42,605 SK Telecom servers, identifying 28 that were compromised. A total of 33 types of malicious code, including 27 variants of the BPFDoor family, were found to have been planted by the hackers. This sophisticated malware allowed attackers to maintain persistent access and exfiltrate vast amounts of data.

Furthermore, the investigation uncovered a series of critical security vulnerabilities within SK Telecom's infrastructure. These included poor management of account information, inadequate responses to past security incidents, and insufficient encryption measures for important information. Specifically, it was found that server account passwords within the system management network were not changed for extended periods. Even more concerning, account information such as IDs and passwords for managing other servers were stored in plain text rather than encrypted format on the compromised servers, essentially providing attackers with keys to the kingdom.

Adding to the gravity of the situation, SK Telecom was found to have arbitrarily taken action on two servers, rendering forensic analysis impossible, even after the government issued an order to preserve evidence for incident analysis. The MSIT plans to refer these alleged legal violations to investigative authorities.

While the immediate concern of cloned phone secondary damage has been downplayed by the investigation team, Ryu Je-myung, Second Vice Minister of Science and ICT, stated that "the intentionality (of the incident) or any criminal aspects of SK Telecom will be revealed through police investigation."

Repercussions and Remedial Measures 

In response to the findings and public outcry, SK Telecom held an emergency press conference, outlining its compensation plans. The company announced it would waive termination fees for all customers who canceled their contracts after April 19th, 00:00 KST, when the breach was discovered, and for those who plan to cancel by July 14th. These fees represent the entire or partial return of discounted benefits received during the contract period. Customers who have already paid termination fees will be eligible for a refund upon application.

Beyond the termination fee waivers, SK Telecom unveiled a significant compensation package for all its subscribers. Approximately 24 million customers, including those using SK Telecom's network through budget mobile virtual network operators (MVNOs), will receive a 50% discount on their mobile phone bills in August, an additional 50GB of data every month until the end of the year, and substantially expanded membership discounts. The total value of this compensation package is estimated at 500 billion Korean Won (approximately $360 million USD).

To bolster its long-term security posture, SK Telecom also committed to investing 700 billion Korean Won (approximately $500 million USD) over the next five years to enhance its information protection levels.

These remedial actions come with a hefty financial burden for SK Telecom. Yoo Young-sang, CEO of SK Telecom, previously stated in the National Assembly that waiving termination fees alone could result in losses of up to 7 trillion Korean Won (approximately $5 billion USD) over three years. Reflecting the impact of the hacking incident, customer compensation, and anticipated subscriber churn, SK Telecom officially revised its annual revenue forecast downwards by 800 billion Korean Won (approximately $575 million USD), from 17.8 trillion Won to 17 trillion Won.

The MSIT will also impose administrative fines on SK Telecom for delaying and failing to report the breach. This incident serves as a stark reminder of the critical importance of robust cybersecurity measures and transparent reporting for telecommunication providers, who hold the personal data of millions of citizens. The full extent of SK Telecom's accountability, including any criminal liabilities, remains subject to further police investigation.