SK Telecom, South Korea’s largest telecom operator, suffered a massive cyberattack in April 2025, resulting in the theft of personal data from ~23 million customers nearly half the country’s population. The breach exposed sensitive information, including names, contact details, and potentially financial records. The aftermath extended into May, forcing the company to issue new SIM cards to millions of affected users to mitigate risks like SIM-swapping fraud and identity theft. The attack highlighted systemic vulnerabilities in South Korea’s cybersecurity infrastructure, with regulators and government agencies struggling to coordinate a unified response. The incident severely damaged SK Telecom’s reputation, eroded customer trust, and raised concerns over the national security implications of such large-scale data exposures, particularly given the involvement of state-backed threat actors in the region.
TPRM report: https://www.rankiteo.com/company/sk-telecom
"id": "sk-1802718100125",
"linkid": "sk-telecom",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '90,000',
'industry': 'Convenience Stores/Grocery',
'location': 'South Korea',
'name': 'GS Retail',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Gaming/FinTech',
'location': 'South Korea',
'name': 'Wemix',
'size': 'Mid-Large',
'type': 'Blockchain'},
{'customers_affected': '20,000',
'industry': 'HR/Recruitment',
'location': 'South Korea',
'name': 'Albamon',
'size': 'Mid',
'type': 'Job Platform'},
{'customers_affected': '23,000,000',
'industry': 'Telecommunications',
'location': 'South Korea',
'name': 'SK Telecom',
'size': 'Large',
'type': 'Telecom'},
{'industry': 'Ticketing/Retail',
'location': 'South Korea',
'name': 'Yes24',
'size': 'Large',
'type': 'E-Commerce'},
{'industry': 'Insurance',
'location': 'South Korea',
'name': 'Seoul Guarantee Insurance (SGI)',
'size': 'Mid-Large',
'type': 'Financial Institution'},
{'customers_affected': '3,000,000',
'industry': 'Credit/Debit Cards',
'location': 'South Korea',
'name': 'Lotte Card',
'size': 'Large',
'type': 'Financial Services'},
{'industry': 'Lending',
'location': 'South Korea',
'name': 'Welrix F&I (Welcome Financial Group)',
'size': 'Mid-Large',
'type': 'Financial Services'},
{'customers_affected': '5,500',
'industry': 'Telecommunications',
'location': 'South Korea',
'name': 'KT Corporation',
'size': 'Large',
'type': 'Telecom'},
{'industry': 'Public Sector',
'location': 'South Korea',
'name': 'South Korean Government (Multiple Ministries)',
'size': 'National',
'type': 'Government'},
{'industry': 'International Relations',
'location': 'South Korea',
'name': '19 Foreign Embassies in South Korea',
'type': 'Diplomatic'},
{'industry': 'National Security',
'location': 'South Korea',
'name': 'Unnamed Defense-Related Institution',
'type': 'Military/Defense'}],
'attack_vector': ['Website Exploitation',
'Spear-Phishing (AI Deepfakes)',
'Fake Base Stations',
'Ransomware',
'Credential Stuffing',
'Social Engineering',
'Malware'],
'customer_advisories': ['SK Telecom: Free SIM card replacements for 23M '
'customers.',
'Lotte Card: Credit monitoring services for affected '
'customers.',
'Yes24: Service restoration updates and compensation '
'offers.',
'GS Retail/Albamon: Identity theft protection '
'recommendations.'],
'data_breach': {'data_exfiltration': ['Yes (GS Retail, Lotte Card, Welrix '
'F&I)',
'Likely (SK Telecom, KT)'],
'file_types_exposed': ['Databases',
'PDFs (resumes)',
'Emails',
'Transaction logs',
'Internal documents'],
'number_of_records_exposed': ['90,000 (GS Retail)',
'23,000,000 (SK Telecom)',
'20,000 (Albamon)',
'3,000,000 (Lotte Card)',
'5,500 (KT)'],
'personally_identifiable_information': ['Names',
'Birth dates',
'Addresses',
'Phone numbers',
'Email addresses',
'IMSI/IMEI'],
'sensitivity_of_data': ['High (PII, financial, diplomatic)',
'Medium (resumes, subscriber data)'],
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Financial Data',
'Resume/Employment Data',
'Diplomatic Communications',
'Mobile Subscriber Data (IMSI, '
'IMEI)',
'Internal Corporate Files']},
'date_detected': ['2025-01-04',
'2025-02-28',
'2025-04-30',
'2025-05-01',
'2025-06-09',
'2025-07-14',
'2025-08-01',
'2025-08-31',
'2025-09-01'],
'date_publicly_disclosed': ['2025-01-04',
'2025-03-04',
'2025-04-30',
'2025-05-01',
'2025-06-09',
'2025-07-14',
'2025-08-01',
'2025-08-31',
'2025-09-01'],
'date_resolved': ['2025-01-10',
'2025-03-10',
'2025-05-31',
'2025-06-13',
'2025-07-20',
'2025-08-05',
'2025-08-15',
'2025-09-15'],
'description': 'South Korea faced a surge of cyberattacks in 2025, targeting '
'credit card companies, telecoms, tech startups, government '
'agencies, and financial institutions. The incidents exposed '
'systemic vulnerabilities, including fragmented government '
'response, lack of skilled cybersecurity workforce, and '
'reactive (rather than proactive) cybersecurity measures. Key '
'attacks included data breaches at GS Retail, SK Telecom, '
'Lotte Card, and ransomware attacks on Yes24, Seoul Guarantee '
'Insurance, and Welrix F&I. North Korea-linked groups like '
'Kimsuky were implicated in espionage and phishing campaigns '
'using AI-generated deepfakes.',
'impact': {'brand_reputation_impact': ['SK Telecom',
'Lotte Card',
'Yes24',
'Welrix F&I',
'KT',
'South Korean government (fragmented '
'response)'],
'customer_complaints': ['SK Telecom (SIM replacement process)',
'Lotte Card (data exposure)',
'Yes24 (repeated outages)'],
'data_compromised': ['90,000 customer records (GS Retail: names, '
'birth dates, contact details, addresses, '
'emails)',
'23 million customer records (SK Telecom: '
'personal data)',
'20,000 resumes (Albamon: names, phone '
'numbers, emails)',
'200GB of data (Lotte Card: ~3 million '
'customers)',
'1TB+ internal files (Welrix F&I: sensitive '
'customer data)',
'Subscriber data (KT: IMSI, IMEI, phone '
'numbers, micro-payment fraud)',
'Diplomatic communications (19 embassies: '
'espionage via fake emails)'],
'downtime': ['4 days (Yes24, June 2025)',
'Few hours (Yes24, August 2025)',
'Days (Seoul Guarantee Insurance, July 2025)',
'Weeks (SK Telecom SIM replacements, April–May 2025)'],
'financial_loss': ['$6.2 million (Wemix)',
'Operational costs for SIM replacements (SK '
'Telecom)',
'Revenue loss during downtime (Yes24, SGI, '
'Welrix F&I)'],
'identity_theft_risk': ['GS Retail (90,000 customers)',
'SK Telecom (23M customers)',
'Lotte Card (3M customers)',
'Albamon (20,000 users)'],
'legal_liabilities': ['Potential GDPR-like fines (if applicable)',
'Class-action lawsuits (e.g., SK Telecom, '
'Lotte Card)'],
'operational_impact': ['Service disruptions (Yes24, SGI, Welrix '
'F&I)',
'Customer verification delays (SGI)',
'Fraudulent micro-payments (KT)',
'Diplomatic communications compromise '
'(embassies)'],
'payment_information_risk': ['Lotte Card (credit/debit data)',
'KT (unauthorized micro-payments)'],
'revenue_loss': ['Yes24 (ticketing/retail sales)',
'Welrix F&I (lending operations)',
'Lotte Card (customer trust/transaction volume)'],
'systems_affected': ['GS Retail (website)',
'Wemix (blockchain infrastructure)',
'Albamon (job platform database)',
'SK Telecom (customer data systems)',
'Yes24 (ticketing/retail platform, twice)',
'Seoul Guarantee Insurance (core systems: '
'guarantees, verification)',
'Lotte Card (credit/debit card systems)',
'Welrix F&I (lending systems)',
'KT (mobile network via fake base stations)',
'South Korean military/defense institutions '
'(deepfake phishing)']},
'initial_access_broker': {'backdoors_established': ['Likely (Welrix F&I, KT)'],
'data_sold_on_dark_web': ['Yes (Welrix F&I: samples '
'leaked)'],
'entry_point': ['Compromised websites (GS Retail)',
'Phishing emails (Kimsuky)',
'Fake base stations (KT)',
'Exploited vulnerabilities (Yes24, '
'SGI)'],
'high_value_targets': ['Financial data (Lotte Card, '
'Welrix F&I)',
'Diplomatic communications '
'(embassies)',
'Military/defense '
'institutions'],
'reconnaissance_period': ['Months (Kimsuky embassy '
'espionage)',
'Weeks (Lotte Card: 17 '
'days undetected)']},
'investigation_status': ['Ongoing (multiple agencies)',
'Interagency plan announced (September 2025)'],
'lessons_learned': ['Fragmented government response exacerbates cyber risks.',
"Lack of a centralized 'first responder' agency delays "
'containment.',
'Skilled cybersecurity workforce shortage hinders '
'proactive defenses.',
'Reactive measures (e.g., SIM replacements) are costly '
'and insufficient.',
'AI-generated deepfakes pose emerging threats for '
'espionage/phishing.',
'Cross-ministerial coordination is critical for national '
'cyber resilience.'],
'motivation': ['Financial Gain',
'Espionage',
'Data Theft',
'Disruption',
'Cyber Warfare'],
'post_incident_analysis': {'corrective_actions': ['Presidential Office-led '
'interagency cyber defense '
'plan (September 2025).',
'Proposed legal reforms to '
'enable preemptive '
'government probes.',
'Increased funding for KISA '
'and cybersecurity '
'workforce development.',
'Mandatory breach reporting '
'timelines.',
'Public-private '
'cybersecurity task forces '
'(e.g., with SK Telecom, '
'Theori).',
'Pilot programs for '
'AI-driven threat detection '
'(e.g., deepfake phishing).',
'Hybrid governance model: '
'central strategy + '
'decentralized execution.'],
'root_causes': ['Lack of centralized cybersecurity '
'governance.',
'Silos between government agencies '
'(e.g., Ministry of Science and '
'ICT, KISA, National Security '
'Office).',
'Insufficient investment in '
'proactive defenses (e.g., threat '
'hunting, red teaming).',
'Delayed breach detection (e.g., '
'Lotte Card: 17 days).',
'Over-reliance on reactive '
'measures (e.g., SIM '
'replacements).',
'Skilled workforce shortage due to '
'systemic underinvestment.',
'Political deadlock prioritizing '
'short-term fixes over long-term '
'resilience.']},
'ransomware': {'data_encryption': ['Yes (core systems disrupted)'],
'data_exfiltration': ['Yes (Welrix F&I: 1TB+ leaked on dark '
'web)'],
'ransom_demanded': ['Yes (Yes24, SGI, Welrix F&I)',
'Amounts undisclosed']},
'recommendations': ['Establish a central cybersecurity authority with '
'technical and strategic oversight.',
'Mandate real-time breach reporting (even without company '
'disclosures).',
'Invest in workforce development (e.g., cybersecurity '
'training programs).',
'Implement hybrid model: central strategy + independent '
'agency execution (e.g., KISA).',
'Enhance public-private collaboration for threat '
'intelligence sharing.',
'Prioritize proactive defenses (e.g., AI-driven anomaly '
'detection, zero-trust architecture).',
'Conduct regular red-team exercises for critical '
'infrastructure.'],
'references': [{'date_accessed': '2025-09-15',
'source': 'TechCrunch',
'url': 'https://techcrunch.com'},
{'date_accessed': '2025-09-10',
'source': 'Trellix Threat Report (Kimsuky Campaign)',
'url': 'https://www.trellix.com'},
{'date_accessed': '2025-09-05',
'source': 'Genians Security Center (Deepfake Phishing)',
'url': 'https://www.genians.com'},
{'date_accessed': '2025-09-20',
'source': 'South Korean Ministry of Science and ICT',
'url': 'https://www.msit.go.kr'}],
'regulatory_compliance': {'legal_actions': ['Investigations ongoing (e.g., '
'Lotte Card, SK Telecom)'],
'regulations_violated': ['Potential violations of '
'South Korea’s Personal '
'Information Protection '
'Act (PIPA)',
'Financial sector '
'regulations'],
'regulatory_notifications': ['Delayed in some cases',
'New legal powers '
'proposed (September '
'2025)']},
'response': {'communication_strategy': ['Delayed disclosures (Wemix: 5-day '
'delay)',
'Public statements (SK Telecom, Lotte '
'Card)',
'Presidential Office announcements '
'(September 2025)'],
'containment_measures': ['SIM card replacements (SK Telecom)',
'System isolations (SGI, Yes24)',
'Network segmentation (KT)',
'Dark web monitoring (Welrix F&I)'],
'enhanced_monitoring': ['KISA-led initiatives',
'Embassy network traffic'],
'incident_response_plan_activated': ['Partial (company-level)',
'Delayed '
'(government-level)'],
'law_enforcement_notified': ['Yes (select cases)',
'Delayed in some incidents (e.g., '
'Lotte Card: 17-day delay)'],
'network_segmentation': ['KT (post-fake base station attack)'],
'recovery_measures': ['Service restoration (Yes24, SGI)',
'Fraudulent transaction reversals (KT)',
'Diplomatic cybersecurity advisories '
'(embassies)'],
'remediation_measures': ['Customer notifications (GS Retail, '
'Albamon)',
'Credit monitoring offers (Lotte Card)',
'Patch management (where applicable)'],
'third_party_assistance': ['Cybersecurity firms (e.g., Theori, '
'Genians)',
'KISA (Korea Internet & Security '
'Agency)']},
'stakeholder_advisories': ['Presidential Office: Cross-ministerial cyber '
'defense initiative (September 2025).',
'KISA: Enhanced monitoring for critical '
'infrastructure.',
'Financial Supervisory Service: Audits for Lotte '
'Card, Welrix F&I.'],
'threat_actor': ['Kimsuky (North Korea-linked)',
'Russian-linked Hacking Group',
'Unidentified Hackers'],
'title': 'Series of High-Profile Cyber Incidents in South Korea (2025)',
'type': ['Data Breach',
'Ransomware',
'Espionage',
'Phishing',
'Supply Chain Attack',
'Unauthorized Access']}