SK Telecom hack exposes data of 26 million subscribers over three years

Home > Opinion > Editorials

SK Telecom hack exposes data of 26 million subscribers over three years

Published: 20 May. 2025, 00:00 Updated: 19 May. 2025, 19:22

Audio report: written by reporters, read by AI

SK Telecom CEO Ryu Young-sang speaks at a daily briefing to explain misunderstandings related to SIM replacements in central Seoul on May 2. [SK TELECOM]

A recent investigation into the SK Telecom (SKT) hacking incident revealed that the breach was far more extensive than initially feared. According to the second round of findings from a joint government and private-sector probe released on Monday, the personal information of all 26 million SK Telecom users — including those using its budget mobile service — was leaked over a period spanning three years.

The breach included full-scale exposure of users’ SIM information, including international mobile subscriber identity numbers. Shockingly, both the telecom provider and the government remained unaware of the breach for years, despite it affecting roughly half Korea’s population.

Initial findings on April 29 showed that five servers infected with malware included three home subscriber servers containing 25 types of sensitive user data. The second probe uncovered an additional 18 compromised servers, bringing the total to 23. Fifteen of those have undergone forensic analysis, while eight remain under review.

Investigators traced the origin of the malware to June 15, 2022. Between then and Dec. 2, 2022 — when no log records exist — investigators believe international mobile equipment identity (IMEI) numbers may have also been compromised.

While IMSI information can be protected through SIM replacement or dedicated protection services, IMEI leaks pose a graver threat. If a phone’s IMEI is leaked, cloning of the actual device becomes a possibility. The Ministry of Science and ICT consulted manufacturers and confirmed that phones cannot be cloned with the IMEI alone — additional encryption keys unique to the device are required. This offers some reassurance, but the sophistication of modern hacking methods means user anxiety remains high.

Both SKT and the government had previously insisted that only SIM data had been leaked. However, each phase of the investigation continues to reveal new vulnerabilities, eroding public trust in telecom security assurances.

Of particular concern is the discovery that much of the malware used belonged to the BPFdoor (Berkeley Packet Filter Door) family, a backdoor first identified by PwC in early 2022. It was reportedly deployed by Red Menshen, a Chinese state-linked hacking group, in cyberattacks on telecom companies across Asia and the Middle East.

Cybersecurity firm Trend Micro has warned that Red Menshen specializes in advanced persistent threat operations and develops variants of backdoors like BPFdoor to conduct long-term cyberespionage campaigns. The SKT hack appears to bear the hallmarks of such activity, raising the possibility that this was not a typical breach, but a sophisticated attack with geopolitical implications.

SK Group Chairman Chey Tae-won bows in apology during a press conference at SKT Tower in Jung District, central Seoul, on May 7. [JOINT PRESS CORPS]

Although the perpetrators have not yet been formally identified, the scale and nature of the intrusion suggest that this case goes beyond a corporate security failure. It calls into question the robustness of Korea’s national cybersecurity framework.

At the very least, SK Telecom must overhaul its security protocols. Holding data on nearly half the country’s population, it has a responsibility that goes far beyond commercial operations. The incident serves as a wake-up call not only for the telecom industry, but for the nation’s entire cybersecurity posture.

Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.