SK Telecom reports customer data breach in malware attack

SK Telecom, South Korea's largest mobile operator, has disclosed a security breach involving customer USIM data following a malware infection. 

SK Telecom serves approximately 48.4% of the mobile phone service market in South Korea, corresponding to 34 million subscribers. 

The malware infection was detected on SK Telecom's systems at 11 PM local time on Saturday, April 19, 2025.  The breach involved unauthorized access to USIM-related information, which may include:

• International Mobile Subscriber Identity (IMSI)
• Mobile Station ISDN Number (MSISDN)
• Authentication keys
• Network usage data
• SMS messages (if stored on the SIM)
• Contact information (if stored on the SIM)

This type of information could potentially be exploited for targeted surveillance, user tracking or SIM-swap attacks.

The nature of the attack and the number of affected individuals has not been disclosed.

SK Telecom has reported the incident to Korea Internet & Security Agency (KISA) and to South Korea's Personal Information Protection Commission. They also implemented protocols to immediately suspend service for accounts showing suspicious activity

SK Telecom is recommending that subscribers sign up for USIM protection service through their portal, which prevents mobile numbers from being ported to another SIM card when enabled.

Update - As of 28th of April 2025, SK Telecom started to replace mobile SIM cards for its 23 million users following the data breach. Concerned customers formed long queues to get the replacements.

As of 8th of May 2025, SK Telecom described the incident as "the most severe security breach in the company's history." The incident has led to the theft of personal data on approximately 23 million customers, equivalent to almost half of South Korea's 52 million residents. It already caused substantial customer churn, with SKT's chief executive Young-sang Ryu revealing at a National Assembly hearing in Seoul that about 250,000 users have switched to different telecom providers following the incident.

Early reports suggest a possible connection to vulnerabilities in Ivanti Connect Secure VPN systems. On May 6, investigators discovered an additional eight types of malware in SKT's systems, further complicating the investigation.

As of 18th of May 2025, a team of investigators found that nearly 27 million units of international mobile subscriber identity (IMSI), have been leaked from SK Telecom’s data breach. The investigators report they have so far found 25 types of malware and 23 hacked servers. Among the affected servers, two had been used as temporary storage for personal data, such as names, birthdays, phone numbers and email addresses. Investigators said they are still working to determine the exact scope of data stored on those two servers.

SK Telecom reports that malware behind the massive data breach remained undetected in the telco’s systems as far back as 2022. The investigation revealed that the attackers first embedded malware on June 15, 2022.