SK Telecom has now confirmed that a massive data breach involving 26.95 million USIM records has affected nearly its entire subscriber base, raising serious concerns about the depth and duration of the compromise.
The latest findings from a joint government-private investigation reveal that the company's systems were infected with 25 different strains of malware — undetected for nearly three years.
The disclosure comes from a daily briefing issued by SK Telecom on May 19, 2025, and coincides with the release of a second interim report by the South Korean government-led investigation team. The breach, which originated with a web shell installation on June 15, 2022, eventually led to a widespread malware infestation across 23 Linux servers within the company's infrastructure. These malicious implants included stealthy backdoors, such as BPFdoor variants, designed to evade detection and maintain persistence.
SK Telecom, South Korea's largest mobile carrier with approximately 29 million subscribers, plays a central role in the country's digital ecosystem, offering 5G, LTE, AI, and IoT services.
The 26.95 million exposed USIM records include IMSI identifiers and were part of a 9.82 GB dataset confirmed to have been exfiltrated. Though this number exceeds SKT's actual subscriber count, the investigation team clarified that it also includes internal test entries and placeholder values. Additionally, two compromised servers linked to SKT's integrated customer authentication system were found to have temporarily stored unencrypted personal data, including names, dates of birth, email addresses, and 291,831 IMEI device identifiers.
Notably, SKT's internal monitoring systems failed to detect the intrusion for over two and a half years. Log data is only available from December 3, 2024, limiting visibility into whether critical data was siphoned off between June 2022 and that point. Investigators admitted that information from this early period may have been stolen, but said no evidence has yet surfaced on dark web markets.
Despite the scale of the breach, SKT maintains that there are no confirmed cases of SIM or phone cloning tied to the incident. The company claims its updated abnormal authentication detection system (FDS 2.0), now active across its network, can reliably block unauthorized device or USIM replication. This new system authenticates device, USIM, and subscriber legitimacy in three layers.
In a public statement, SKT pledged to accept full responsibility for any customer harm resulting from the breach. The company says it has notified affected customers and implemented automatic enrollment in its USIM Protection Service, including enhanced coverage for overseas usage. It also cooperates with law enforcement and continues to audit the remaining eight infected servers. A final investigation report is expected by the end of June 2025, once forensic analysis of the remaining compromised systems is completed.
Leave a Reply