SKT could lose $5B from data breach falloutSKT could lose $5B from data breach fallout

SK Telecom (SKT) could lose as much as 7 trillion Korean won (US$5 billion) over the next three years from waived early termination fees and lost revenue as customers seek to jump ship in the wake of a major data breach that compromised universal subscriber identity module (USIM) information.

The company's CEO, Ryu Young-sang, testified at a National Assembly hearing held in Seoul on Thursday that 250,000 SKT customers have already switched to competing carriers, adding that the number could soon rise to 2.5 million subscribers.

"If monthly cancellations reach as high as 5 million, we estimate losses of up to KRW7 trillion for the next three years, including waived termination fees and lost revenue," Ryu said, as quoted by the Yonhap News Agency.

An early termination fee, which averages about KRW100,000 ($71.39) per person for SKT, is typically charged to customers who cancel their contract before the end of its term, especially if they have received device subsidies and other promotional discounts.

Ryu said that the fee waiver alone would cost SKT about KRW250 billion ($176 million) if the number of subscribers switching to other carriers reached 2.5 million.

Early termination fee waiver under review

SKT has been flooded with calls to exempt customers from this fee amid user concerns after the data breach, but the operator said the proposal needs further study.

Related:SK Telecom takes full responsibility amid USIM hacking fallout

"The issue involves not only legal aspects but also the ecosystem of mobile telecommunications and various losses for SK Telecom, all complexly intertwined," Ryu said, as quoted by The Korea Times.

He noted that the decision is difficult to make due to the massive potential fallout, adding that SKT will review the issue through its board of directors and its newly formed Customer Trust Restoration Committee.

The malware that infected SKT's internal systems and caused a USIM data has affected approximately 25 million SKT users and MVNO subscribers. This week, the operator has temporarily halted new subscriber registrations as it focuses on replacing the SIM cards of affected users. It has also started automatic enrollment for its USIM protection service, without the need for customers to apply in person.

The data breach, which has been called "the worst hacking incident in the history of the telecom industry," prompted an apology from SK Group Chairman Chey Tae-won on Wednesday and a pledge to strengthen cybersecurity across the conglomerate's subsidiaries.

"We will actively cooperate with the government's investigation to determine the cause of the accident and make every effort to prevent any damage to our customers." Chey said. "Separately, we will inspect the overall security system for all SK Group companies and increase investment in security systems."

Related:SKT suspends new customer subscriptions after USIM card shortage, cyberattack

SKT could face hefty fines

Meanwhile, South Korea's privacy regulator said that SKT is likely to be slapped with a substantial fine over the USIM data .

Ko Hak-soo, chairman of the Personal Information Protection Commission (PIPC), said the fine will be higher than the KRW 6.8 billion ($4.86 million) imposed on LG Uplus in July 2023 for a data breach that affected 300,000 customers.

"SKT's penalty is likely to be higher than LG Uplus for three reasons," Ko told Korea JoongAng Daily. "Legal revisions introduced since then allow for tougher sanctions, the scale of SKT's is significantly larger affecting 25 million subscribers, and unlike LG Uplus, where the breach involved a supporting database, SKT's data was compromised directly from its primary database."

Under the revised PIPC Protection Act, which was amended in September 2023, the privacy watchdog significantly increased the fines for violations, which are capped at 3% of a company's total revenue. Previously, the maximum fine was capped at 3% of the revenue associated with the specific violation.

According to PIPC, the personal data confirmed to have been from SKT includes a total of 25 types of information stored in its main subscriber database. This information includes phone numbers, subscriber identity numbers, USIM authentication keys, and other USIM-related data.

SK Telecom is expected to send out the first round of notifications by Friday to all its users potentially affected by the data breach, based on its initial findings to date.