SK Telecom, the largest mobile network operator in South Korea, suffered a cybersecurity incident that went undetected for nearly three years. The breach exposed the USIM data of 27 million subscribers, including IMSI, USIM authentication keys, network usage data, and SMS/contacts stored in the SIM. The exposure increased the risk of SIM-swapping attacks, leading to the issuance of SIM replacements for all subscribers. The malware infection compromised 25 data types across 23 servers, with 15 servers containing personal customer information. The company has strengthened security measures to prevent unauthorized number porting actions and is taking full responsibility for any damage that occurs despite their efforts.
TPRM report: https://scoringcyber.rankiteo.com/company/sk-telecom
"id": "SK-503052025",
"linkid": "sk-telecom",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '26.95 million',
'industry': 'Telecommunications',
'location': 'South Korea',
'name': 'SK Telecom',
'size': 'Large',
'type': 'Mobile Network Operator'}],
'attack_vector': 'Malware',
'data_breach': {'data_exfiltration': 'Possible',
'number_of_records_exposed': '26.95 million',
'personally_identifiable_information': ['IMEI numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['IMSI',
'USIM authentication keys',
'network usage data',
'SMS/contacts stored in the '
'SIM']},
'date_detected': '2025-04-19',
'date_publicly_disclosed': '2025-05-08',
'description': 'A cybersecurity incident at SK Telecom exposed the USIM data '
'of 27 million subscribers, allowing attackers to steal data '
'including IMSI, USIM authentication keys, network usage data, '
'and SMS/contacts stored in the SIM.',
'impact': {'data_compromised': ['IMSI',
'USIM authentication keys',
'network usage data',
'SMS/contacts stored in the SIM'],
'operational_impact': ['Stopped accepting new subscribers'],
'systems_affected': ['23 compromised servers',
'30,000 Linux servers examined']},
'initial_access_broker': {'entry_point': 'Web shell infection',
'reconnaissance_period': 'June 15, 2022'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': ['Issued SIM replacements',
'Strengthened security '
'measures',
'Started logging activity '
'on impacted servers']},
'references': [{'date_accessed': None, 'source': '@mstoned7', 'url': None}],
'response': {'communication_strategy': ['Notified customers of the breach'],
'containment_measures': ['Isolated equipment suspected of being '
'hacked',
'Issued SIM replacements for all '
'subscribers'],
'enhanced_monitoring': ['Started logging activity on the '
'impacted servers'],
'incident_response_plan_activated': 'Yes',
'remediation_measures': ['Strengthened security measures to '
'prevent unauthorized number porting '
'actions']},
'title': 'SK Telecom Data Breach',
'type': 'Data Breach'}