SK Telecom (SKT), a major South Korean telecommunications provider, suffered a malware breach discovered in April 2025, exposing sensitive data of 27 million subscribers for years (potentially since August 2021). Threat actors infiltrated critical infrastructure, including the Home Subscriber Server (HSS), compromising USIM authentication keys (KI), IMSI numbers, IMEI identifiers, phone numbers, email addresses, and other personal data.The breach resulted from negligent security practices, including unprotected servers (no passwords), outdated OS without patches, and weak intranet defenses. The Personal Information Protection Commission fined SKT ~$96.53 million for failing to safeguard data and delaying customer notifications. SKT was forced to overhaul governance, adopt zero-trust architecture, expand encryption, form a red team, and elevate its CISO role. Customers received free USIM replacements, subscription discounts, and penalty-free contract cancellations.The incident severely damaged SKT’s reputation, financial standing, and operational trust, necessitating systemic reforms to prevent future breaches.
Source: https://www.techradar.com/pro/security/sk-telecom-hit-with-usd97-million-fine-over-massive-data-leak
TPRM report: https://www.rankiteo.com/company/sk-telecom
"id": "sk-905083025",
"linkid": "sk-telecom",
"type": "Breach",
"date": "8/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '27 million',
'industry': 'Telecommunications',
'location': 'South Korea',
'name': 'SK Telecom (SKT)',
'size': 'Large (one of the biggest in South Korea)',
'type': 'telecommunications provider'}],
'attack_vector': ['malware',
'exploitation of unpatched vulnerabilities',
'lack of authentication'],
'customer_advisories': ['Free USIM card replacements',
'50% discount on August subscription fees',
'Waiver of early contract termination fees'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '27 million',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes USIM keys, IMSI, IMEI, '
'and personal data)',
'type_of_data_compromised': ['subscriber authentication data',
'personal identifiable '
'information (PII)',
'device identifiers']},
'date_detected': '2025-04',
'description': 'SK Telecom (SKT), one of the largest telecommunications '
'providers in South Korea, suffered a malware breach '
'discovered in April 2025. The breach, which may have started '
'as early as August 2021, exposed sensitive subscriber data of '
'approximately 27 million people due to weak security '
'measures, including outdated systems, lack of passwords, and '
'unpatched vulnerabilities. The company was fined ~$96.53 '
'million for negligence and delays in customer notification.',
'impact': {'brand_reputation_impact': 'Severe; public acknowledgment of '
"'grave responsibility' and loss of "
'customer trust',
'data_compromised': ['USIM authentication keys (KI)',
'International Mobile Subscriber Identity '
'(IMSI) numbers',
'IMEI device identifiers',
'phone numbers',
'email addresses',
'potentially other personal data'],
'financial_loss': '$96.53 million (fine)',
'identity_theft_risk': 'High (due to exposure of IMSI, IMEI, and '
'personal data)',
'legal_liabilities': '$96.53 million fine by Personal Information '
'Protection Commission',
'operational_impact': 'Significant; required revamp of governance '
'and security measures',
'systems_affected': ['Home Subscriber Server (HSS)',
'critical infrastructure',
'intranet']},
'initial_access_broker': {'entry_point': ['unsecured intranet',
'outdated servers'],
'high_value_targets': ['Home Subscriber Server '
'(HSS)',
'subscriber authentication '
'data'],
'reconnaissance_period': 'Potentially from August '
'2021 to April 2025 '
'(nearly 4 years)'},
'investigation_status': 'Completed (regulatory fine issued; remediation '
'ongoing)',
'lessons_learned': ['Critical importance of basic security measures (e.g., '
'passwords, patches)',
'Need for proactive monitoring to detect long-term '
'intrusions',
'Significance of timely customer notification in breach '
'scenarios',
'Governance and security culture must be prioritized at '
'the executive level'],
'post_incident_analysis': {'corrective_actions': ['Zero-trust architecture '
'implementation',
'Expanded encryption',
'Red team exercises',
'CISO reporting directly to '
'CEO',
'Board-level cybersecurity '
'expertise',
'Customer compensation and '
'retention measures'],
'root_causes': ['Lack of basic security controls '
'(e.g., passwords, patches)',
'Outdated and unpatched operating '
'systems',
'Weak intranet security allowing '
'lateral movement',
'Delayed detection of long-term '
'intrusion',
'Inadequate governance and '
'oversight of security practices']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Adopt zero-trust architecture enterprise-wide',
'Regularly audit and update security patches',
'Implement multi-factor authentication (MFA) for critical '
'systems',
'Enhance intrusion detection and response capabilities',
'Conduct third-party security assessments',
'Establish clearer incident response protocols for timely '
'disclosure'],
'references': [{'source': 'Reuters'}],
'regulatory_compliance': {'fines_imposed': '$96.53 million (134 billion won)',
'regulations_violated': ['Personal Information '
'Protection Act (South '
'Korea)'],
'regulatory_notifications': ['Delayed notification '
'to customers']},
'response': {'communication_strategy': ['Public acknowledgment of '
'responsibility',
'Customer notifications (delayed)',
'Offers for free USIM replacements '
'and subscription discounts'],
'incident_response_plan_activated': True,
'recovery_measures': ['Information Security Innovation Plan'],
'remediation_measures': ['Implementation of zero-trust '
'architecture',
'Expansion of encryption',
'Formation of a red team',
'Elevation of CISO role to report '
'directly to CEO',
'Addition of cybersecurity experts to '
'the board',
'Free USIM card replacements for '
'customers',
'50% discount on August subscription '
'fees',
'Waiver of early contract termination '
'fees']},
'title': 'SK Telecom Data Breach (2025)',
'type': ['data breach', 'malware intrusion', 'unauthorized access'],
'vulnerability_exploited': ['outdated operating systems',
'missing security patches',
'no password protection on critical servers',
'weak intranet security']}