AT&T, Verizon, T-Mobile better watch out: fines for personal data leaks can reach $100 million
Smart companies learn from experience, wise companies learn from the experience of others.
Carriers like AT&T, Verizon and T-Mobile better pay attention to what's going on in South Korea – maybe the US-based telecoms can learn from other carriers' mistakes. The stakes are high, in the $100 million ballpark.
Mere hours ago, a regulator in South Korea fined SK Telecom, the biggest mobile carrier in the country. The imposed financial penalty amounts to 134.8 billion won, which is approximately $97 million when directly converted. What's more, an additional administrative penalty of 9.6 million won was also imposed.
Similarly, the reason for the record SK Telecom fine is a massive user data leak. It happened back in April of this year. PIPC Chairperson Ko Hak-soo explained at a press briefing that the committee had reached the decision during a general meeting the previous day.
The breach was first reported by SK Telecom to the PIPC on April 22, after the company detected suspiciously large volumes of data leaving its network on April 18. Following a months-long investigation, regulators confirmed that information belonging to more than 23 million customers had been compromised. The stolen data included phone numbers, international mobile subscriber identity codes, and 23 other types of universal subscriber identity module (USIM) information.
In July, the government declared SK Telecom liable for failing to adequately protect customer information. As part of the response, regulators instructed the company to waive early termination fees for subscribers who chose to switch carriers.
The PIPC said the fines were based on several shortcomings in SK Telecom's data protection practices, including weak access controls, poor oversight of access rights, failure to encrypt USIM authentication keys, and delayed notification of affected users.
Just last month, SK Telecom pledged 700 billion won toward information security initiatives and an additional 500 billion won toward customer protection, alongside its commitment to waive termination fees. Too late?
After the fine was announced, SK Telecom released a statement acknowledging the decision and expressing a sense of responsibility. However, it also expressed disappointment that its protective efforts and explanations were not fully reflected in the outcome. SK Telecom said it will review the PIPC's written decision. The company has 90 days from receiving the decision to legally challenge the ruling.
Still, the size of the fine has drawn criticism, with some pointing out inconsistencies compared to past cases. Google, for instance, was fined 69.2 billion won in 2022 for using customer data for targeted advertising without consent. Kakao was fined 15.1 billion won over a data leak involving its open chatroom service, while LG Uplus paid 6.8 billion won after a breach similar to SK Telecom's.
This is way more than Google's 2022 fine, ~70 billion won. The search engine giant was fined for gathering personal information without user consent.
Similarly, the reason for the record SK Telecom fine is a massive user data leak. It happened back in April of this year. PIPC Chairperson Ko Hak-soo explained at a press briefing that the committee had reached the decision during a general meeting the previous day.
The breach was first reported by SK Telecom to the PIPC on April 22, after the company detected suspiciously large volumes of data leaving its network on April 18. Following a months-long investigation, regulators confirmed that information belonging to more than 23 million customers had been compromised. The stolen data included phone numbers, international mobile subscriber identity codes, and 23 other types of universal subscriber identity module (USIM) information.
We hope this incident serves as a reminder for companies that process large volumes of personal data to view the personal information protection budgets as an essential investment. We also expect it will raise awareness of the role and importance of CPOs and dedicated privacy teams in corporate management.
– PIPC Chairperson Ko Hak-soo, August 2025
The PIPC said the fines were based on several shortcomings in SK Telecom's data protection practices, including weak access controls, poor oversight of access rights, failure to encrypt USIM authentication keys, and delayed notification of affected users.
After the fine was announced, SK Telecom released a statement acknowledging the decision and expressing a sense of responsibility. However, it also expressed disappointment that its protective efforts and explanations were not fully reflected in the outcome. SK Telecom said it will review the PIPC's written decision. The company has 90 days from receiving the decision to legally challenge the ruling.
Still, the size of the fine has drawn criticism, with some pointing out inconsistencies compared to past cases. Google, for instance, was fined 69.2 billion won in 2022 for using customer data for targeted advertising without consent. Kakao was fined 15.1 billion won over a data leak involving its open chatroom service, while LG Uplus paid 6.8 billion won after a breach similar to SK Telecom's.
Follow us on Google News
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: