[Alpha Biz= Kim Jisun] The South Korean government has concluded that KT should waive early termination fees for all customers following a data breach involving unauthorized microtransactions and hacking incidents. Authorities have also referred LG Uplus to the police for obstructing an investigation by dismantling hacked servers, which made it impossible to determine whether customer data had been leaked.

The findings were announced on the 29th by a joint public-private investigation team under the Ministry of Science and ICT (MSIT), which concluded its probe into recent cyberattacks involving KT and LG Uplus.

According to the investigation, unauthorized microtransactions totaling 240 million won (approximately USD 175,000) occurred between August 1 last year and September 10 this year, affecting around 22,000 users. Exposed data included phone numbers, International Mobile Subscriber Identity (IMSI) numbers, and International Mobile Equipment Identity (IMEI) numbers. The estimate is based on currently available billing data, as investigators said they were unable to verify potential damage prior to July last year.

The breach was attributed to poor management of KT’s “femtocells,” small base stations used to improve coverage in weak signal areas. KT had used identical authentication certificates across all femtocells, allowing unauthorized devices to access its network once the certificate was copied.

Investigators also confirmed that illegal femtocells could intercept voice calls, enabling eavesdropping. Although KT had applied encryption to voice calls and text messages transmitted between devices and its network, the rogue femtocells were capable of decrypting them. This enabled attackers to intercept authentication codes and SMS messages used for microtransactions. While investigators found no evidence of actual interception of regular voice calls or messages, they confirmed that such interception was technically possible.

It was also revealed that KT had not applied SMS encryption to iPhones released up to the iPhone 16 model.

In a separate breach involving KT servers, investigators found that 94 servers had been infected with 103 types of malware. Among them were web shell and BPFdoor attacks dating back to April 2022. KT reportedly identified the infections last year but concealed them after conducting only antivirus cleanups. Additional malware, including rootkits, remained active from 2023 through July of this year.

Due to KT retaining log records for only one to two months, investigators said they were unable to determine whether data leaks occurred during earlier periods. “It cannot be concluded that no data was leaked during periods for which logs no longer exist,” said Ryu Je-myung, Vice Minister of Science and ICT.

The government concluded that KT’s systemic security failures constitute grounds for waiving termination fees for all customers. “KT failed to fulfill its contractual obligation to provide secure telecommunications services, and the company bears responsibility for this incident,” the investigation team stated.

In the case of LG Uplus, investigators confirmed the leakage of employee names and portions of server lists. However, further investigation was hindered after the company dismantled the affected servers or reinstalled their operating systems. The Ministry of Science and ICT has referred LG Uplus to the National Police Agency on charges of obstruction of official duties.

 

 

 

[ⓒ 알파경제. 무단전재-재배포 금지]