In April, South Korea’s telco big SK Telecom (SKT) was hit by a cyberattack that led to the theft of non-public knowledge on roughly 23 million clients, equal to nearly half of the nation’s 52 million residents.
At a Nationwide Meeting listening to in Seoul on Thursday, SKT chief govt Younger-sang Ryu mentioned about 250,000 customers have switched to a unique telecom supplier following the info breach. He mentioned he expects this quantity to achieve 2.5 million, greater than tenfold the present quantity, if the corporate waives cancellation charges.
The corporate may lose as much as $5 billion (round ₩7 trillion) over the subsequent three years if it decides to not cost cancellation charges for customers who need to cancel their contract early, Ryu mentioned on the listening to.
“SK Telecom considers this incident probably the most extreme safety breach within the firm’s historical past and is placing forth our utmost effort to attenuate any harm to our clients,” a spokesperson at SKT advised TechCrunch in an emailed assertion. “The variety of clients affected and the entity chargeable for the hacking is beneath investigation,” the spokesperson added.
A joint investigation involving each private and non-private entities is presently underway to establish the precise explanation for the incident.
The Private Data Safety Committee (PIPC) of South Korea introduced on Thursday that 25 several types of private info, together with cell phone numbers and distinctive identifiers (IMSI numbers), in addition to USIM authentication keys and different USIM knowledge, had been exfiltrated from its central database, generally known as its residence subscriber server. The compromised knowledge can put clients at better danger of SIM swapping assaults and authorities surveillance.
After its official announcement of the incident on April 22, SKT has been providing SIM card safety and free SIM card replacements to forestall additional harm to its clients.
“We detected attainable info leakage concerning SIM on April 19,” the spokesperson at SKT advised TechCrunch. “Following the identification of the breach, we instantly remoted the affected machine whereas completely investigating the complete system.”
“To additional safeguard our clients, we’re presently growing a system that may defend customers’ info by way of the SIM safety service whereas permitting them to make use of roaming companies seamlessly outdoors of Korea by Could 14,” the spokesperson mentioned.
To this point, SKT has not obtained any studies of secondary harm and no verified cases of buyer info being distributed or misused on the darkish net or different platforms, the corporate advised TechCrunch.
A timeline of SKT’s knowledge breach
April 18, 2025
SKT detected irregular actions on April 18 at 11:20 p.m. native time. SKT discovered uncommon logs and indicators of information having been deleted on tools that the corporate makes use of for monitoring and managing billing info for its clients, together with knowledge utilization and name durations.
April 19, 2025
The corporate recognized a knowledge breach on April 19 in its residence subscriber server in Seoul, which generally homes subscriber info, together with authentication, authorization, location, and mobility particulars.
April 20, 2025
SKT reported the cyberattack incident to Korea’s cybersecurity company.
April 22, 2025
SKT confirmed on its web site that it detected suspicious exercise, indicating a “potential” knowledge breach involving some info associated to customers’ USIMs knowledge.
April 28, 2025
SKT started changing cellular SIM playing cards of 23 million customers, however the firm has confronted shortages in acquiring ample USIM playing cards to satisfy its promise to supply free SIM card replacements.
April 30, 2025
South Korean police started investigating SKT’s suspected cyberattack on April 18.
Could 1, 2025
In response to native media studies, many South Korean corporations, together with SKT, use Ivanti VPN tools, and that the latest knowledge breach could also be linked to China-backed hackers.
Per a neighborhood media report, SKT mentioned it obtained a cybersecurity discover from KISA instructing the corporate to show off and exchange the Ivanti VPN.
TeamT5, a cybersecurity firm primarily based in Taiwan, alerted the general public to the worldwide threats posed by a government-backed group linked to China, which allegedly took benefit of vulnerabilities in Ivanti’s Join Safe VPN techniques to realize entry to a number of organizations globally.
Some 20 industries have been affected, together with automotive, chemical, monetary establishments, legislation companies, media, analysis institutes, and telecommunications, throughout 12 nations, together with Australia, South Korea, Taiwan, and the US.
Could 6, 2025
A group of private and non-private investigators found an extra eight kinds of malware in SKT’s hacking case. The group is presently investigating whether or not the brand new malware was put in on the identical residence subscriber server as the unique 4 strains or if they’re positioned on separate server tools.
Could 7, 2025
Tae-won Chey, the chairman of SK Group, which operates SKT, publicly apologized for the primary time for the info breach, some three weeks after the breach occurred.
As of Could 7, all eligible customers have been signed up for the SIM safety service, besides these dwelling overseas utilizing roaming companies and quickly suspended, the spokesperson advised TechCrunch, including that its fraud detection system has already been arrange for all clients to forestall unauthorized login makes an attempt utilizing cloned SIM playing cards.
Could 8, 2028
SKT is presently assessing the best way to deal with the cancellation charges for customers affected by the info breach incident. About 250,000 customers have switched to a different telecom supplier following the breach, in accordance with the corporate’s chief govt at a Nationwide Meeting listening to.
South Korean authorities, in the meantime, introduced that 25 kinds of private info have been leaked from the corporate’s databases in the course of the cyberattack.
