Korea’s privacy regulator chief has indicated that SK Telecom (SKT) is likely to face a substantial fine due to a significant data breach that has raised alarm bells across the telecommunications sector. Personal Information Protection Commission (PIPC) chairman Ko Hak-soo stated on May 8, 2025, that the fine imposed on SKT will be considerable, reflecting the severity of the incident.
Speaking to the Korea JoongAng Daily after a seminar hosted by the American Chamber of Commerce in Korea (Amcham) in Seoul, Ko emphasized that the circumstances surrounding the breach warrant a high penalty. The recent hacking incident at SKT is particularly alarming, as it has affected a staggering 25 million subscribers, a far larger number compared to a previous incident involving rival LG U+, which faced a fine of 6.8 billion won ($4.86 million) in July 2023 for a data leak impacting 300,000 users.
Ko elaborated on the reasons why SKT’s penalty is expected to surpass that of LG U+. “Legal revisions introduced since then allow for tougher sanctions, the scale of SKT’s leak is significantly larger affecting 25 million subscribers, and unlike LG U+, where the breach involved a supporting database, SKT’s data was compromised directly from its primary database,” Ko explained.
Under the revised Personal Information Protection Act, which came into effect in September 2023, fines can now reach up to 3 percent of a company’s total revenue rather than just the revenue directly linked to the violation. This change could potentially lead to a record fine for SKT, depending on how the commission evaluates the incident. When asked whether the fine would surpass the 15.1 billion won figure set by Kakao following its data breach in May 2024, Ko refrained from providing a direct answer.
Meanwhile, SK Telecom CEO Ryu Young-sang has expressed concerns about the financial implications of the data breach, particularly regarding the potential waiver of early termination fees for users. During a National Assembly hearing on the same day, Ryu indicated that if the company opts to waive these fees, it could face significant profit losses, estimating that up to 5 million users might leave the company each month.
Ryu warned that this could translate into a financial loss of up to 7 trillion won ($5 billion), which includes both the termination fees and three years' worth of revenue from those users. "If we waive the fees, we expect the number to go over 10 times the current number to 2.5 million users who will switch off (to different carriers)," he stated, highlighting the urgency of the situation.
As of now, approximately 250,000 users have already switched to different carriers since the data breach was detected on April 18, 2025. Ryu noted that waiving the termination fees has been suggested as a damage control measure, but he emphasized the need for careful consideration of various factors before making a decision. “The issue involves not only legal aspects but also the ecosystem of mobile telecommunications and various losses for SK Telecom, all complexly intertwined,” he remarked.
SK Telecom, which boasts a subscriber base of 25 million—nearly half of Korea's population—is expected to start notifying its users potentially affected by the data breach by Friday, May 9, 2025. According to the PIPC, the leaked personal data includes a total of 25 types of information stored in SKT's main subscriber database, such as phone numbers, subscriber identity numbers, USIM authentication keys, and other USIM-related data.
In addition to the ongoing investigation into SKT, the PIPC has been scrutinizing major robot vacuum brands, including China’s Roborock, Ecovacs, and Xiaomi, since March 2025. This investigation stems from concerns that these manufacturers may be improperly collecting and transmitting Korean users’ personal data overseas. Ko mentioned that the PIPC is currently focused on examining privacy practices and legal compliance rather than imposing penalties, but he did not provide a timeline for when the investigation results would be released.
The fallout from the data breach at SK Telecom raises critical questions about data security and consumer trust in the telecommunications industry. As companies navigate the complexities of privacy regulations and the repercussions of such breaches, the stakes are higher than ever for both consumers and service providers.
In light of these developments, it is clear that the repercussions of the data breach will extend beyond immediate financial penalties. The potential loss of millions of subscribers could have a lasting impact on SK Telecom’s reputation and market position, prompting the company to take swift action to regain consumer confidence.
As the situation unfolds, stakeholders in the telecommunications sector will be watching closely, eager to see how SK Telecom responds to the challenges posed by this incident and what measures will be implemented to enhance data protection moving forward.
