The Korean Bar Association Calls for Accountable Measures and Adequate Compensation in the Wake of the SK Telecom Personal Data Breach, and Proposes Institutional Reforms Including the Introduction of Punitive Damages

On April 19, 2025, at approximately 11:00 p.m., SK Telecom (hereinafter “SKT”) experienced a massive data breach involving the personal information of approximately 25 million subscribers due to a malicious malware attack. The compromised data includes sensitive information contained in users' USIM cards, which may be exploited for secondary crimes such as SIM-swapping and fraudulent phone activations. Despite the scale and severity of the incident, SKT reported the suspected breach to the Personal Information Protection Commission only on April 22, three days after the incident. The company announced plans to offer free USIM replacements to all subscribers.

The Korean Bar Association expresses its deep concern over this incident. This is not a mere security mishap by a private entity it is a grave violation of the constitutional right to informational self-determination. The personal data retained by telecommunications providers is an essential part of citizens’ daily lives, and the implications of this breach must be regarded as a serious threat to national security and public trust.

SKT’s response has also been significantly lacking. Public notice of the breach was delayed for several days, and the full scope and nature of the leaked information remain undisclosed. Moreover, rather than automatically providing protective measures to all users, such as USIM protection services, SKT is requiring individual applications, raising suspicions that the company may intend to limit compensation based on whether users were subscribed to such services at the time of the breach.

The chaos is now spilling over into both government and society. The National Intelligence Service has recommended that 19 government ministries, 17 metropolitan governments, and local boards of education replace USIMs and conduct security checks. The Ministry of National Defense has issued a mandatory USIM replacement directive for military officers, and numerous companies have similarly urged their employees to take precautionary measures. Should this breach lead to secondary damages involving civil servants and corporate officials who handle sensitive information, the scope of harm could become incalculable.

The repeated occurrence of corporate data breaches is largely due to the fact that the costs associated with maintaining and protecting personal information are significantly higher than the financial penalties companies typically face following such incidents. In contrast, in jurisdictions such as the United States and European Union, companies may be ordered to pay severe punitive damages, potentially threatening their viability, thereby incentivizing robust data protection measures.

Given the importance of personal data, corporations must be held to a much higher standard of care. In particular, when a company fails to fulfill its duty to protect personal information, it should bear substantial liability in the form of punitive damages. Institutional frameworks with binding enforcement mechanisms are essential to prevent the recurrence of such large-scale data breaches.

The Korean Bar Association strongly urges SKT to take full accountability and demands the government and National Assembly adopt fundamental solutions to prevent the recurrence of such incidents.

First, SKT must immediately disclose all facts transparently and provide USIM protection services to all users without requiring separate applications. Beyond free USIM replacements, it must offer professional identity protection and credit monitoring services to all affected users for a minimum of five years. The company must also establish a reimbursement and compensation framework for users who have already borne the cost of USIM replacement and suffered additional financial losses.

Second, the government must establish a joint investigative task force to thoroughly determine the cause, responsibility, and potential concealment surrounding the incident and disclose the results transparently. Security regulations for telecommunications providers must be strengthened to include mandatory external penetration testing at least twice a year akin to those in the financial sector and legislative measures requiring breach notification and reporting within 24 hours must be enacted.

Third, the National Assembly must introduce a general punitive damages system and ease the requirements for class action lawsuits. Although certain statutes such as the Product Liability Act already include punitive damages provisions, the standards are overly restrictive, rendering the remedy largely ineffective. Legislative reform should reduce the burden of proof on victims and allow class actions in cases of personal data breaches, including provisions for damages up to five times the actual harm in cases involving secondary consequences.