- December 2, 2025
- Posted by: guyadmin
- Category: Safety, Privacy & Security
Data breaches can be extremely costly, and the story of South Korean company SKT proves just that. SKT, South Korea’s largest mobile carrier with approximately 25 million subscribers, experienced a devastating incident last April: a data breach affecting 23.2 million LTE and 5G users. Critical data was exposed – authentication keys, identification numbers, and more – enabling SIM card cloning and user impersonation, in addition to sensitive personal information.
Like any mega-incident, the organization was not quick to reveal the full truth. The natural instinct of people who have failed – even if they’re Korean – is to pray they won’t understand, stay silent, and hope the situation will pass. But in large systems, there are no secrets, and the full scale of the failure was exposed within a few weeks.
As a result of the breach, SKT launched a massive compensation program: rate discounts, additional data, and coupons totaling $349 million. But that was only the beginning. South Korean authorities imposed a record fine of $96.5 million on SKT for neglecting security obligations and delaying breach notification. Beyond that, replacing all USIM cards, suspending new subscriber services for two months, and strengthening security required an additional investment of approximately $250 million.
But all of this still doesn’t account for the broken trust between the company and its customers. Nearly 4,000 subscribers filed compensation claims with the government’s Privacy Mediation Committee. The committee proposed earlier this week that each of them receive compensation of $220 for the mental distress caused. But this is just the tip of the iceberg. SKT is exposed to class action lawsuits that will gain momentum and precedent from this decision, and could impose an additional total cost of $5.6 billion if it has to compensate all its customers.
In terms of accountability, the CEO and chairman publicly apologized and said the company takes responsibility for any damage caused to its customers. Six months later, at the end of October, the CEO was fired – though it’s more accurate to say he was moved to a position on the group’s strategic council.
What exactly was the security failure? SKT committed a basic and severe error: storing USIM card authentication keys in plain text, without encryption, inside the servers. Yes, you read that right – critical data was stored as plain text that anyone who manages to breach the servers could read. Additionally, the system ran on an outdated operating system with known vulnerabilities and was connected to the internal management network, which enabled the breach. Sometimes the failure is right under the lamppost.
This is another example of why cybersecurity is hot and expected to continue growing, and an example of a well-known rule – the cost of preventing a breach is always lower than the cost of dealing with it.