Article Details

SK Telecom walloped with $97M fine after schoolkid security blunders let attackers run riot. Regulator points to lack of 'basic access controls' between internet-facing systems, internal network. South Korea's privacy watchdog has slapped SK Telecom with a record ₩134.5 billion ($97 million) fine after finding that the mobile giant left its network wide open to hackers through a catalog of bungles. The case stems from a breach disclosed in April, when SK Telecom admitted that hackers had swiped the universal subscriber identity module (USIM) data of almost 27 million subscribers. To put that in context, the population of the entire country is a shade over 50 million. The carrier tried to mitigate the fallout by offering free SIM replacements to affected customers, but regulators smelled something bigger and launched a full-blown probe into the leak. The Personal Information Protection Commission (PIPC) said that the country's biggest carrier "did not even implement basic access controls" between its internet-facing systems and internal management network. As a result, attackers were able to infiltrate SKT's core systems, extract authentication data, and siphon off subscriber information at scale.  The privacy watchdog estimates that the damage was slightly less than SK Telecom initially claimed, with approximately 23 million subscribers affected by the breach – a mere 45 percent of the country's population.  According to the regulator's report, SKT failed at almost every layer of defense. The company allegedly didn't check logs from intrusion detection systems so it ignored anomalous behavior while attackers quietly mapped out the operator's infrastructure. In one particularly damning finding, the PIPC report said administrators had dumped thousands of server credentials in plaintext on a management network server. Around 4,899 usernames and passwords for 2,365 servers were just sitting there, without so much as a password protecting access to Home Subscriber Server (HSS) databases, the regulator claimed. It doesn't take much imagination to guess what happened next. Armed with the harvested account details, intruders appear to have hopped into the management servers, installed malware, and queried the HSS database directly. From there, they were able to view and extract subscriber information without so much as a raised eyebrow from SKT's monitoring teams. The regulator also flagged failures around cryptography. It found that more than 26 million USIM authentication keys – the "Ki" values used to verify subscribers and provision mobile services – were left unencrypted in SKT's databases. That blunder would have handed attackers the means to replicate SIM credentials, raising the specter of large-scale identity fraud or cloned devices piggybacking on legitimate accounts. "The security operating environment between the internet and the internal network was managed and operated in a state that was very vulnerable to illegal intrusion," the PIPC scolded in its decision.  In addition to the eye-watering fine, SKT has been ordered to implement a raft of remedial measures, including proper encryption, tighter access controls, and real-time monitoring of its intrusion detection systems. The PIPC said the size of the penalty reflected both the seriousness of the failings and the scale of personal information put at risk. SK Telecom did not immediately respond to The Register's questions. The PIPC's verdict is a reminder that telecom companies are high-value espionage and cybercrime targets, and regulators are losing patience when operators cut corners on basics. It also aligns with international warnings. Just yesterday, The Register reported that Salt Typhoon, the Chinese state-sponsored crew that has been infiltrating global telecoms routers since at least 2019, continues to wreak havoc inside company networks.  The difference here is that SKT didn't need a nation-state APT to get burned. According to South Korea's regulator, sloppy practices were enough to let intruders come in and walk off with subscriber data.