Probe suggests possible leak of SK Telecom users’ private info from cyberattack

Servers at SK Telecom Co. containing personal information and universal subscriber identity module (USIM) data of all subscribers have been compromised in a cyberattack, raising concerns that critical USIM data used in financial transactions may have been leaked, a joint government-private investigation team said Monday.

According to the team’s interim findings, the breach dates back to June 15, 2022, when unidentified attackers are believed to have planted malware on the company’s servers.

SK Telecom discovered the breach only a month ago, on April 18.

A total of 23 SK Telecom servers were compromised, up from five disclosed in the previous briefing held on April 29.

Following a detailed analysis of 15 of those servers, investigators found 25 malware variants: 24 BPFDoor variants and one WebCell variant. The remaining eight affected servers are still under investigation.

Investigators said it is believed that 9.32 gigabytes of USIM data, equivalent to roughly 26.9 million international mobile subscriber identity (IMSI) numbers, have been leaked. SK Telecom currently has 25 million subscribers, including 2 million budget phone users.

Among the affected servers, two had been used as temporary storage for personal data, such as names, birthdates, phone numbers and email addresses, as well as international mobile equipment identity (IMEI) data.

The IMSI and IMEI are unique identifiers for each user and device, respectively, on a network and could potentially be exploited in financial transactions.

In their previous briefing, the investigation team had said that servers storing IMEI numbers had not been infected with malware.

The team said it found no evidence of any data leakage between Dec. 3, 2024, and April 24 of this year according to available firewall log data from the hackers.

However, no log data was available between June 15, 2022, and Dec. 2, 2024, making it impossible to confirm whether any leaks occurred during that time frame.

However, the Ministry of Science and ICT, which led the joint investigation team, said it is unlikely that hackers are able to duplicate a smartphone using only the leaked IMEI numbers.

“IMEI is a 15-digit number. It’s technically impossible to duplicate a mobile phone using only this number without product keys,” Deputy Minister Ryu Je-myung said.

“We’ve confirmed this through device manufacturers. The product keys are stored with the manufacturing companies,” he added.

The investigators said the Personal Information Protection Commission will determine whether SK Telecom violated the Personal Information Protection Act by keeping log records only for four months and by failing to encrypt the leaked personal information.

They have also demanded that SK Telecom take measures to prevent user damage.

In response, the company has offered to replace the USIM of all 25 million subscribers, including 2 million budget phone users, free of charge to prevent identity theft or financial fraud.

The company has also enrolled all users in its USIM protection service, which, it says, offers the same level of protection against unauthorized financial activities as a physical USIM replacement.