SK Telecom hack exposes nearly all subscriber data

A government-private joint investigation team revealed Sunday that SK Telecom’s network was infiltrated by malicious code as early as June 2022, meaning the telecom giant remained unaware of the breach for nearly three years. Authorities confirmed that servers containing critical subscriber data—including device identification numbers and personal information—were compromised, raising fears of a massive data leak.

The Ministry of Science and ICT disclosed the second-phase findings of its investigation at a press briefing held at the Seoul Government Complex on May 19. While the initial probe had identified five infected servers, three of which were Home Subscriber Servers (HSS) where 25 categories of user data, including SIM information, were leaked—the second round uncovered 18 more compromised servers, bringing the total to 23.

The scale of the breach is significant. Investigators found 26,957,749 leaked SIM data entries, exceeding the total subscriber base of SK Telecom and its mobile virtual network operator (MVNO) partners, which is estimated at around 25 million. This suggests the data of virtually all subscribers may have been compromised.

Notably, among the newly identified compromised servers, two were found to temporarily store personal data used in customer verification. These were connected to SK Telecom’s integrated customer authentication system and contained 291,831 records, including IMEI numbers, names, birthdates, phone numbers, and email addresses.

The potential theft of IMEI data has heightened concerns about SIM swapping attacks using cloned phones. However, the investigation team stated that no data exfiltration was detected during firewall log inspections conducted for the period between Dec. 3, 2023, and April 24, 2024. Whether any data was stolen between the initial infection on June 15, 2022, and Dec. 2, 2023, remains unclear due to a lack of logs.

SK Telecom has downplayed the risk of cloned phone attacks, stating that its upgraded Fraud Detection System (FDS) 2.0 blocks unauthorized devices from accessing its network. The company has not disclosed why the breach went undetected for so long but pledged to strengthen its cybersecurity measures in the wake of the findings.


장은지 기자 jej@donga.com