SK Telecom, the largest mobile network operator in South Korea, experienced a cybersecurity incident that started in June 2022 and was detected in April 2025. The breach exposed the USIM data of 27 million subscribers, including IMSI, USIM authentication keys, network usage data, and SMS/contacts stored in the SIM. The incident increased the risk of SIM-swapping attacks, leading the company to issue SIM replacements and enhance security measures. The breach compromised 25 data types and 23 servers, with 15 servers containing personal customer information, including 291,831 IMEI numbers. The company halted new subscriptions temporarily to manage the fallout.
TPRM report: https://scoringcyber.rankiteo.com/company/sk-telecom
"id": "sk-524052025",
"linkid": "sk-telecom",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '26.95 million',
'industry': 'Telecommunications',
'location': 'South Korea',
'name': 'SK Telecom',
'size': 'Large',
'type': 'Telecommunications Company'}],
'attack_vector': 'Malware',
'customer_advisories': 'SIM card replacements and elevated security measures '
'activated automatically',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': '27 million',
'personally_identifiable_information': None,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['IMSI',
'USIM authentication keys',
'network usage data',
'SMS/contacts stored in the '
'SIM']},
'date_detected': '2025-04-19',
'date_publicly_disclosed': '2025-05-08',
'date_resolved': None,
'description': 'A cybersecurity incident at SK Telecom in April 2025 exposed '
'the USIM data of 27 million subscribers, with the breach '
'dating back to 2022.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['IMSI',
'USIM authentication keys',
'network usage data',
'SMS/contacts stored in the SIM'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': ['Stopped accepting new subscribers'],
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['23 compromised servers']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'Web shell infection',
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'lessons_learned': None,
'motivation': 'Data Theft',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Initial web shell infection on '
'June 15, 2022'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': None,
'references': [{'date_accessed': None, 'source': '@mstoned7', 'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['Notified customers',
'Announced responsibility for any '
'damage'],
'containment_measures': ['Isolated the equipment suspected of '
'being hacked',
'Issued SIM replacements for all '
'subscribers',
'Strengthened security measures to '
'prevent unauthorized number porting '
'actions'],
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'stakeholder_advisories': None,
'threat_actor': None,
'title': 'SK Telecom Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': None}