SKT Data Breach Timeline: A Complete Overview

SK Telecom Data Breach Impacts Millions of Customers

In April, a significant cyberattack targeted SK Telecom (SKT), a leading telecommunications company in South Korea. This breach resulted in the compromise of personal data belonging to approximately 23 million customers.

This figure represents nearly half of South Korea’s total population of 52 million residents, highlighting the scale of the incident.

Customer Exodus and Potential Financial Losses

During a hearing before the National Assembly in Seoul, SKT’s CEO, Young-sang Ryu, revealed that around 250,000 subscribers have already switched to alternative telecom providers following the data breach.

Ryu anticipates this number could escalate to 2.5 million – a more than ten-fold increase – should the company decide to eliminate cancellation fees for affected users.

The potential financial repercussions for SKT are substantial. Ryu stated the company could face losses of up to $5 billion (approximately ₩7 trillion) over the next three years if cancellation fees are waived.

SKT’s Response and Ongoing Investigation

SK Telecom views this security incident as the most critical in its history and is dedicating significant resources to mitigate the damage to its customer base, according to a company spokesperson.

The spokesperson confirmed to TechCrunch that the exact number of customers affected and the identity of the perpetrators are currently under investigation.

A collaborative investigation, involving both governmental and private sector entities, is actively underway to determine the root cause of the attack.

Compromised Data and Potential Risks

The Personal Information Protection Committee (PIPC) of South Korea announced on Thursday that 25 distinct types of personal information were exfiltrated from SKT’s central database, also known as its home subscriber server.

This compromised data includes mobile phone numbers, unique identifiers (IMSI numbers), USIM authentication keys, and other critical USIM data.

The exposure of this information significantly increases customers’ vulnerability to SIM swapping attacks and potential government surveillance.

Mitigation Efforts and Future Security Measures

Following the public disclosure of the incident on April 22, SKT has been proactively offering SIM card protection and complimentary SIM card replacements to its customers.

These measures are intended to prevent further exploitation of the compromised data.

“We initially detected potential information leakage concerning SIMs on April 19,” the SKT spokesperson explained to TechCrunch.

“Upon confirming the breach, we immediately isolated the affected system and initiated a comprehensive investigation of the entire infrastructure.”

SK Telecom is currently developing an enhanced system designed to safeguard user information through a SIM protection service, while simultaneously ensuring uninterrupted roaming capabilities for customers traveling outside of Korea. This system is expected to be operational by May 14.

Current Status and Lack of Confirmed Misuse

As of the latest reports, SKT has not received any notifications of secondary damage resulting from the breach.

Furthermore, there have been no verified instances of customer information being disseminated or misused on the dark web or other illicit platforms, the company has stated to TechCrunch.

• Key Takeaway: The SK Telecom data breach is a major incident with potentially far-reaching consequences for millions of customers.
• Ongoing Concern: The risk of SIM swapping attacks and surveillance remains elevated.

SKT Data Breach: A Chronological Overview

April 18, 2025

At 11:20 p.m. local time on April 18th, SKT identified anomalous activity within its systems. Investigation revealed unusual log entries and evidence of file deletions on equipment utilized for billing management.

This equipment specifically handles customer data pertaining to usage patterns and call durations.

April 19, 2025

A data breach was confirmed by SKT on April 19th, impacting the company’s home subscriber server located in Seoul. This server routinely stores crucial subscriber details.

Information housed within included authentication credentials, authorization parameters, location data, and mobility information.

April 20, 2025

SKT formally notified Korea’s national cybersecurity agency regarding the identified cyberattack incident.

April 22, 2025

SKT publicly acknowledged the detection of suspicious activity on its website. The company indicated a “potential” data breach involving user USIM data.

April 28, 2025

SKT initiated a program to replace the mobile SIM cards of 23 million users. However, the company encountered difficulties securing an adequate supply of USIM cards to meet the demand for free replacements.

April 30, 2025

An investigation into the suspected cyberattack on SKT, originating on April 18th, was launched by South Korean police.

May 1, 2025

Reports from local media sources indicated that numerous South Korean companies, including SKT, utilize Ivanti VPN equipment.

These reports suggested a potential connection between the recent data breach and hacking groups supported by China.

SKT reportedly received a cybersecurity advisory from KISA, instructing the company to disable and replace the Ivanti VPN.

TeamT5, a Taiwan-based cybersecurity firm, alerted the public to global threats originating from a China-linked, government-backed group. This group allegedly exploited vulnerabilities in Ivanti’s Connect Secure VPN systems to compromise organizations worldwide.

The impact spanned 20 industries across 12 countries, including Australia, South Korea, Taiwan, and the United States; affected sectors included automotive, chemical, financial, legal, media, research, and telecommunications.

May 6, 2025

Investigators uncovered an additional eight distinct types of malware within SKT’s hacking case. The team is currently determining if this new malware resides on the same home subscriber server as the initial four strains, or on separate equipment.

May 7, 2025

Tae-won Chey, chairman of SK Group – SKT’s parent company – issued a public apology for the data breach. This apology came approximately three weeks after the initial incident.

A company spokesperson informed TechCrunch that all eligible users had enrolled in the SIM protection service, with exceptions for those abroad utilizing roaming services or those with temporarily suspended accounts. The spokesperson also confirmed the implementation of a fraud detection system to prevent unauthorized access via cloned SIM cards.

May 8, 2025

SKT is currently evaluating its approach to handling cancellation fees for users impacted by the data breach. Approximately 250,000 users have switched to alternative telecom providers following the security incident, as stated by the company’s chief executive during a National Assembly hearing.

South Korean authorities announced that 25 categories of personal information were compromised during the cyberattack on the company’s databases.