What Happened
On 22 April 2025, SK Telecom, South Korea's largest mobile carrier with 23 million subscribers, detected unusual traffic on its network. Investigation revealed malware had infiltrated its USIM servers and exfiltrated 25 types of subscriber data, including phone numbers, International Mobile Subscriber Identity (IMSI) numbers, and critically, SIM authentication keys.
The authentication keys (called 'Ki' values) are the master credentials used to verify a subscriber's identity on a mobile network. In the wrong hands, they enable SIM cloning, an attacker could replicate your SIM card and intercept your calls, texts, and two-factor authentication codes.
SKT offered free SIM replacements to all 23 million affected subscribers. Over 9 million replaced their SIMs within weeks. The CEO publicly apologised. The SK Group Chairman publicly apologised. Then the regulator published their findings, and the real story came out.
PIPC Chairperson Haksoo Ko stated: "The company had been in a vulnerable state for quite a long time, with significant weaknesses across the board." This wasn't a targeted attack that bypassed world-class defences. It was a compliance failure waiting to be exploited.
Failure 1: No Encryption on USIM Authentication Keys
The PIPC found that over 26 million USIM authentication keys, the most sensitive data SKT held, were stored in plain text. Completely unencrypted. When the attacker accessed the database, they didn't need to crack anything. The keys were just there.
| Framework | Specific Control | Requirement |
|---|---|---|
| ISO 27001:2022 | Annex A.8.24 | Encryption of sensitive data at rest is mandatory for all data classified as confidential or above. |
| SOC 2 | CC6.1 | Encryption controls must be applied to protect data from unauthorized access, including at-rest storage. |
| DPDP Act 2023 | Section 8(4) | Data fiduciaries must implement appropriate technical measures, encryption of authentication credentials is a baseline expectation. |
| HIPAA / PCI DSS | ยง164.312(a)(2)(iv) | Encrypt electronic protected health information. PCI DSS Req. 3.5 mandates encryption of stored cardholder data. |
Classify your sensitive data. Anything in the top tier, authentication credentials, PII, financial data, must be encrypted at rest using AES-256 or equivalent. This is not optional under any major compliance framework. If you haven't done a data classification exercise, start there.
Failure 2: No Access Controls Between Internet-Facing and Internal Systems
The PIPC's finding was stark: SKT "did not even implement basic access controls" between its internet-facing infrastructure and its internal management network. The attacker pivoted from the perimeter into SKT's core systems with no resistance.
This is the network segmentation problem. When your front door and your safe are in the same room with no wall between them, a breach becomes a catastrophe.
Implement network segmentation, separate internet-facing systems from internal management networks and critical data stores using firewalls, VLANs, and Zero Trust access policies. ISO 27001 Annex A.8.22 (Network Segmentation) and SOC 2 CC6.6 both require logical separation of network environments.
Fig 2. The difference between SKT's architecture (no segmentation, plain-text keys) vs a correctly segmented Zero Trust network with encrypted storage.
Failure 3: Inadequate Access Privilege Management
The PIPC also cited SKT's failure to manage access privileges correctly. Too many accounts had access to too many systems, a textbook violation of the principle of least privilege. Once the attacker was inside, they could move laterally without encountering meaningful access barriers.
This is the same control failure that enabled the M&S breach. It's also one of the most commonly cited deficiencies in any compliance audit.
Conduct a quarterly access review. Every user, service account, and third-party integration should have only the permissions required to do their job, nothing more. Privileged Access Management (PAM) tools automate this enforcement. ISO 27001 Annex A.8.2 (Privileged Access Rights) and SOC 2 CC6.3 require documented, enforced least-privilege policies.
Failure 4: Delayed Breach Notification, A Separate Fine
This one is particularly important for Indian organisations. SKT received a separate administrative fine specifically for failing to notify affected customers within the legally required timeframe after discovering the breach.
Breach notification isn't just an ethical obligation, it's a hard regulatory deadline. Miss it, and you get fined twice: once for the breach, once for the cover-up.
| Regulation | Notification Deadline | Penalty for Non-Compliance |
|---|---|---|
| DPDP Act 2023 (India) | Without unreasonable delay (72-hour guideline expected) | Up to โน250 crore per incident |
| GDPR (EU) | 72 hours to supervisory authority | Up to โฌ20M or 4% global turnover |
| South Korea PIPA | 24โ72 hours | Separate administrative fine + criminal liability |
| HIPAA (US Healthcare) | 60 days from discovery (>500 affected) | $100โ$50,000 per violation |
India's DPDP Act 2023 introduces mandatory breach notification obligations for the first time. Organisations handling personal data must notify both the Data Protection Board of India and affected individuals after a breach. You cannot notify if you haven't detected the breach, which means detection capability is now a compliance requirement, not just a security best practice.
The Real Cost of Non-Compliance
The $97.2M fine is just the headline number. The full cost of SKT's compliance failures is far larger:
- $97.2M regulatory fine, from South Korea's PIPC
- $153.8M estimated cost, of replacing SIM cards for 23 million subscribers
- 250,000 subscribers left immediately, with churn projected to reach 2.5 million
- 800 billion won cut from 2025 revenue forecast, due to customer compensation packages
- $560M committed over 5 years, to rebuild data security infrastructure, after the breach
- Class action lawsuits filed, with damages sought for each of the 23 million affected individuals
SKT will spend more fixing this in the next five years than it would have cost to build proper compliance controls from the start. This is the pattern in every major regulatory breach: the cure is always more expensive than the prevention. Compliance isn't a cost centre, it's risk capital.
How SecComply Maps to These Exact Controls
Every failure the PIPC cited in SK Telecom's case is something SecComply's platform is specifically built to identify and remediate. Here's the direct mapping:
| SKT Compliance Failure | SecComply Feature | Framework Covered |
|---|---|---|
| No data encryption | Automated data classification + encryption control tracking in Overwatch gap dashboard | ISO 27001 A.8.24, SOC 2 CC6.1, DPDP Act S.8 |
| No network segmentation | Cloud Security Scanner flags exposed management interfaces and missing segmentation in AWS, Azure, GCP | ISO 27001 A.8.22, SOC 2 CC6.6 |
| Poor access privilege management | Continuous access control monitoring + quarterly access review workflows built into platform | ISO 27001 A.8.2, SOC 2 CC6.3 |
| Delayed breach notification | Pre-built Incident Response playbooks with automated notification workflow templates; breach timer built in | DPDP Act, GDPR Art.33, HIPAA ยง164.412 |
| Long-standing undetected vulnerabilities | Continuous vulnerability scanning with CVSS-priority remediation queue, no 'set and forget' gaps | ISO 27001 A.8.8, SOC 2 CC7.1 |
5 Compliance Controls to Audit This Week
Based directly on the PIPC's findings, if SKT had checked these five things, the $97M fine wouldn't exist.
- 1Inventory your sensitive dataWhere is your most sensitive data stored? Is it encrypted at rest? If you can't answer both questions today, that's your gap.
- 2Map your network zonesCan an attacker pivot from a public-facing service to your internal database? Draw the network boundary. Close the gaps.
- 3Run a least-privilege access reviewWho has admin access? Does every service account need the permissions it has? Revoke what isn't needed.
- 4Test your breach notification processIf you discovered a breach tonight, do you know exactly who to call and what to file? Time it. It should take hours, not days.
- 5Book a compliance gap assessmentGet an independent view of where you stand against ISO 27001, SOC 2, or DPDP Act before a regulator does it for you.