SK Telecom hacked, exposing data of 23 million subscribers

SK Telecom, South Korea’s largest mobile carrier with about 23 million subscribers, suffered a cyberattack that led to a potential leak of SIM card information. The company said malware infected its Home Subscriber Server (HSS) around 11 p.m. on the 19th, potentially exposing the International Mobile Subscriber Identity (IMSI), International Mobile Equipment Identity (IMEI), and the USIM authentication key.

SK Telecom said it immediately removed the malicious code and that no personal data—such as resident registration numbers, birth dates, or bank account details—had been compromised. However, the full scope of the breach remained unclear, and further damage could not be ruled out.

By exploiting leaked USIM information, attackers can potentially activate so-called "burner phones" to intercept a victim’s calls and text messages. SK Telecom has said that such misuse is unlikely due to its security systems designed to block unauthorized SIM activity. However, if the authentication process is bypassed, a burner phone could be used to access mobile banking and stock trading apps, authorize micropayments, or hijack social media accounts.

In 2022, more than 40 SIM swapping cases were reported in Korea. Victims said their phones abruptly stopped working, after which they received notifications that their devices had been changed. In these cases, cryptocurrency assets worth millions to hundreds of millions of won were stolen.

The breach is particularly serious because it involved the HSS, which is considered one of the most secure parts of telecom infrastructure. The identity of the attackers, as well as the method and route of intrusion, remain unknown. The incident has raised questions about whether SK Telecom underinvested in cybersecurity technology and staffing at a time when hacking techniques are growing increasingly sophisticated.

Korean telecom companies have faced repeated data breaches in recent years. In January 2023, LG Uplus reported the leakage of information from 300,000 users. In 2014, KT acknowledged a breach affecting 12 million individuals. Despite such incidents, critics say that security investment and awareness across the industry have shown little sign of improvement.

Cell phones now serve as digital identification cards, storing sensitive personal information, and mobile networks function as critical infrastructure—heightening public concern in the wake of the breach. SK Telecom waited four days before notifying subscribers by text message about its USIM protection service, fueling criticism of the company’s response.

As the nation’s largest telecommunications provider, SK Telecom faces growing pressure to take full responsibility. The company must assume the worst-case scenario, implement stronger safeguards for its users, and conduct a thorough investigation into the cause of the breach. Preventive measures are also urgently needed to avoid future incidents.