Telecom giant SK Telecom has confirmed a major data breach that exposed over 26.9 million subscriber SIM records, raising serious concerns about cybersecurity gaps within the company’s infrastructure.
The breach, officially reported to the Korea Internet & Security Agency (KISA) on April 22, revealed that SK Telecom had been unaware of persistent hacking attempts targeting its servers for nearly three years. Investigators traced the earliest point of compromise to June 15, 2022.
A joint public-private investigative team, led by the Ministry of Science and ICT, disclosed that 25 distinct types of malware—24 variants of the BPFDoor family and one web shell—had infected 23 internal servers. This represented a significant increase from the team’s initial findings, which had counted just 4 malware types and 5 infected servers.
Choi Woo-hyuk, Director of Information Security and Network Policy at the Ministry of Science and ICT, stated:
“SK Telecom became aware of the (servers being infected with malware) after the incident.”
Forensic analysis has so far been completed on 15 of the affected servers, while eight others remain under investigation.
Lee Dong-geun, head of KISA’s Digital Threat Response Headquarters, explained:
“The additionally discovered malware web shell was for the initial penetration purpose,”
“At this point, there have been no confirmed leaks, and there are no signs that the risk of a security incident has suddenly increased due to the additional discoveries of types of malware and an increase in the number of servers.”
Despite these reassurances, the breach exposed a massive dataset of 9.82 GB, equating to 26,957,749 entries tied to subscriber identification keys (IMSI). The compromised servers also stored unencrypted personal details, including names, birth dates, email addresses, phone numbers, and IMEI numbers—raising additional concerns about the possibility of identity theft and SIM fraud.
A critical gap in log retention further complicates the matter. While logs from December 3, 2023, to April 24, 2024, confirm no IMEI data was leaked, the period from June 15, 2022, to December 2, 2023, lacks logs entirely. As a result, investigators cannot definitively confirm whether any data was exfiltrated during that 18-month period.
As noted by the Deputy Minister:
“It is very difficult to make a judgment realistically without logs,”
“We are conducting various reviews based on multiple scenarios.”
The investigation continues with forensic analysis of the missing log period to assess the extent of potential personal data exposure. Authorities clarified there is currently no indication that attackers intentionally deleted the missing logs.
The breach has reignited public and regulatory concern over SIM swapping—a tactic where stolen subscriber details are used to clone mobile identities for fraudulent use. Initial assessments had ruled out this risk, but the updated findings now leave room for uncertainty.
Ryu Je-myung, Director of the Network Policy Office at the Ministry of Science and ICT, addressed these concerns:
“Cloning a smartphone is impossible with only a 15-digit IMEI value,”
“We believe that even if the security enhancement work is completed by SK Telecom, creating an environment for SIM cloning is physically impossible.”
As a precautionary response, SK Telecom has upgraded its fraud detection system (FDS) to its highest operational level, targeting abnormal authentication behaviors.
