National Assembly Legislative Research Service Report… KT, LG Uplus, and now SKT’s USIM information hacked
Insufficient investment in information protection at SKT… Incident despite government certification
“Improvement of certification system and inclusion of key servers in major infrastructure needed”
[SEOUL=Newsis] Reporter Hwang Jun-seon reports on the scene at a mobile carrier store in Seoul. According to the Korea Telecommunications Operators Association (KTOA) on the 2nd, 237,000 customers left SK Telecom, where a customer data hacking incident occurred in April, marking an 87% increase compared to the previous month. As SK Telecom announced a suspension of new subscriptions and number porting services starting from the 5th to speed up USIM replacements, customer departures are expected to increase.
[SEOUL=Newsis] Reporter Shim Ji-hye reports the need for legal amendments to improve information protection systems to prevent recurring hacking incidents at telecom companies. It suggests ensuring that information protection budgets constitute a certain percentage of the IT budget and applying strengthened certification standards. An expansion of the designation range for key information and communication infrastructure is also required.
On the 21st, the National Assembly Legislative Research Service released a report titled “Strengthening Information Protection to Prevent Telecom Hacking.”
Hacking incidents have occurred not only at SK Telecom but also previously in 2012 and 2014 at KT, and in 2023 at LG Uplus.
In 2012, KT’s business system was breached, resulting in the leak of subscriber information such as names, resident registration numbers, and plan usage for approximately 8.7 million people. In 2014, about 12 million individuals’ names, resident numbers, and account numbers were leaked due to a website vulnerability. In 2023, around 300,000 names, phone numbers, addresses, and USIM information, likely leaked in 2018 from LG Uplus’s customer authentication system, were discovered on illegal trading sites, revealing the hacking damage belatedly.
The SK Telecom hacking incident is specifically noted as the worst security breach in the history of domestic telecoms, as the central server managing critical information for potential USIM cloning was hacked. SK Telecom is the leading mobile carrier in the country with the largest number of subscribers.
During two National Assembly hearings, various shortcomings related to SK Telecom’s information protection were addressed.
As of last year, SK Telecom’s information protection investment amounted to 60 billion KRW. When combined with SK Broadband (26.7 billion KRW), it totals 86.7 billion KRW, still less than KT’s 121.8 billion KRW. LG Uplus spent 63.2 billion KRW.
Despite receiving the government’s ISMS-P certification, a hacking incident occurred, questioning the effectiveness of the certification system. The hacked home subscriber server (HSS), responsible for protecting national personal data and communication security, was not designated as a key information and communication infrastructure under the Information and Communications Infrastructure Protection Act, cited as a deficiency.
Kang Eun-su, the legislative researcher who wrote the report, stated, “If a specific country or organization hacks into a telecom company’s core systems and takes control or paralyzes the communication network, it could escalate beyond substantial personal data leakage to a national cyber security threat,” emphasizing the necessity to strengthen information protection measures to prevent such threats and hacking incidents.
For future improvements, Kang suggested expanding investments in information protection. To encourage telecom companies to expand their information protection investments, amending the Information and Communications Network Act to specify an obligation for maintaining the information protection budget as a certain percentage of the IT budget should be considered.
He proposed enhancing the overall information protection certification system by applying stricter certification standards for security-related high-risk industries like telecommunications and amending the law so that certification can be revoked or fines imposed in the event of severe legal violations. It also suggested reinforcing on-site supervision during the annual post-evaluation by certification bodies.
Expanding the designation range for major information and communication infrastructures and strengthening the designation procedure through amendments to the enforcement decree of the Information and Communications Infrastructure Protection Act were also proposed.
It was noted that the recently hacked SK Telecom server was left vulnerable despite its potential to cause extensive disruption to the national telecom infrastructure, underscoring the oversight in its exclusion from major information and communication infrastructure.
Kang emphasized that the government should expand the designation range of major information and communication infrastructures to ensure that core servers of telecom companies are included.
The current enforcement decree of the Information and Communications Infrastructure Protection Act mandates self-evaluations for facilities selected by management agencies, with the government reviewing the results and, if necessary, subjecting them to committee deliberations comprising relevant experts.
He assessed the need for legislative amendments to make committee deliberations mandatory for high-risk industries like telecommunications.