SK Telecom Lawsuit to Overturn Record Fine for USIM Data Breach Disclosure Delays
SK Telecom filed a lawsuit with the Seoul Administrative Court seeking to revoke a record 135 billion won (US$91 million) penalty imposed by South Korea’s Personal Information Protection Commission (PIPC) following a cyberattack and subsequent data leak affecting the carrier’s entire 23 million-user base. Reporting indicates the fine was issued after SK Telecom belatedly disclosed a breach of its servers that exposed universal subscriber identity module (USIM) information, and the company moved to challenge the decision just ahead of the deadline to seek revocation.
The PIPC penalty is described as the largest ever issued by the regulator since its establishment, exceeding the combined fines levied against Meta and Google in 2022. In response to the incident and regulatory scrutiny, SK Telecom offered free USIM replacements to users and is expected to argue that its post-incident security spending and reforms, along with the absence of reported direct subscriber financial losses, warrant reconsideration and that the fine is disproportionate compared with prior enforcement actions.
Related Entities
Organizations
Sources
Related Stories
Telecom providers face legal and regulatory fallout after major data breaches and service disruption
Comcast moved toward resolving litigation tied to its 2023 **Citrix Bleed**-linked breach, after a federal judge in Pennsylvania granted preliminary approval to a **$117.5M** settlement covering two dozen class actions. The incident was reported as potentially affecting **~30M** current and former customers; proposed relief includes **three years of credit/identity monitoring** plus either reimbursement of documented losses (up to **$10,000**) or a **$50** cash option, while Comcast continues to deny liability despite not opposing preliminary approval. Separately, South Korea’s **SK Telecom** rejected a government-affiliated consumer agency’s proposed compensation framework for a personal data leak, declining a plan that would pay **100,000 won (~$69.40)** per affected petitioner and potentially scale to a much larger total cost; the rejection leaves claimants to pursue individual civil suits. In a different telecom-related development not tied to a breach, the **FCC** opened a dedicated intake channel to collect customer reports as it investigates the **January 14 Verizon outage** that disrupted calling/texting for roughly **10 hours**, including impacts to **911** access; Verizon attributed the disruption to a software issue and offered customer credits.
1 months ago
CNIL Fines Iliad Subsidiaries Free and Free Mobile for Security Failures Behind 2024 Data Breach
France’s data protection regulator **CNIL** issued a collective **€42 million** fine against Iliad Group subsidiaries **Free** and **Free Mobile** for **GDPR** violations tied to an October 2024 breach that exposed personal data for more than **24 million** individuals, including sensitive financial identifiers such as **IBANs**. CNIL cited the scale and sensitivity of the compromised data, as well as the companies’ profits, in setting penalties of **€27 million** for Free and **€15 million** for Free Mobile. Regulators said the intrusion was enabled by inadequate security controls, including a **weak VPN authentication process** and insufficient monitoring to detect anomalous activity. Reporting indicates the attacker accessed Free’s network via the corporate **VPN**, then reached Free Mobile’s subscriber management tool **MOBO**, which at the time allowed searches across both Free and Free Mobile customer datasets; exfiltration reportedly began in early October 2024 after initial access in late September. CNIL also faulted the companies for **insufficient breach communications** to impacted customers and for **improper data retention** (including retaining former subscribers’ data), while noting remediation steps have been initiated and further security improvements were ordered.
2 months agoSouth Korea Mandates Facial Recognition for SIM Registration to Combat Scams
South Korea has announced a new policy requiring facial recognition scans for individuals registering new mobile phone numbers, aiming to curb the widespread use of stolen identities in telecom-related scams. The Ministry of Science and ICT stated that the initiative, which will be implemented by the country's three major mobile carriers and mobile virtual network operators, is designed to prevent criminals from using stolen or fabricated IDs to activate SIM cards. The new requirement will compare the photo on an official identification card with a real-time facial scan, making it significantly harder to register devices under false names. This measure follows a series of high-profile data breaches and a surge in voice phishing scams, with over 21,000 cases reported in 2025 alone. The policy is set to take effect on March 23, following a pilot phase, and will leverage existing digital credential apps such as “PASS” to store and verify biometric data. Recent incidents, including the massive data breach at SK Telecom that exposed SIM card data of nearly 27 million subscribers, have highlighted the vulnerabilities in South Korea’s telecom sector. Authorities have responded with stricter penalties for carriers failing to prevent scams and have imposed significant fines for poor security practices, such as storing credentials in plaintext and lacking basic access controls. The government hopes that the new facial recognition requirement will restore trust and reduce the risk of identity-based telecom fraud.
2 months ago