SK Telecom headquarters in Seoul (SKT)
SK Telecom headquarters in Seoul (SKT)

SK Telecom, the country’s largest telecommunication firm, confirmed Tuesday that its internal systems had been breached by a hacking attack, indicating a possible data leak involving USIM cards.

The company said it had reported the case to the Korea Internet & Security Agency, adding that there have been no confirmed cases of the leaked information being misused.

The mobile carrier detected suspicious activity around 11 p.m. on Saturday, indicating that hackers had infiltrated its internal systems and installed malware. Upon detection, the company said it immediately removed the malware, isolated affected equipment and launched a full-scale investigation across its systems.

As a precautionary measure, the company is also reinforcing its defense against illegal USIM swaps and abnormal authentication attempts. The company said it will also offer a USIM protection service free of charge to customers upon request.

"We will strengthen our company-wide security system to prevent recurrence and implement measures to restore customer trust," SK Telecom said in a statement.

Following the incident, the Ministry of Science and ICT and KISA have launched an investigation into the scope and cause of the data breach, while also forming an emergency response team.

"We have requested that SK Telecom preserve and submit relevant data related to the breach, and KISA experts have been dispatched to the site to provide technical support aimed at identifying the cause and preventing further damage," the ICT Ministry said.

If the incident is deemed a violation of Article 29 of the Personal Information Protection Act, which mandates implementation of security measures, SKT could face legal sanctions. Under Article 64-2 of the Act, fines of up to 3 percent of the related revenue may be imposed.

If the breach is deemed minor, authorities may opt to impose an administrative fine rather than pursue harsher penalties.

Under the Enforcement Decree of the Personal Information Protection Act, leaks involving over 1,000 records can result in fines of up to 50 million won ($35,200), with the amount adjusted based on the nature and severity of the violation.

By Jo He-rim (herim@heraldcorp.com)