In April, South Korea’s telco giant SK Telecom (SKT) was hit by a cyberattack that led to the theft of personal data on approximately 23 million customers, equivalent to almost half of the country’s 52 million residents.
At a National Assembly hearing in Seoul on Thursday, SKT chief executive Young-sang Ryu said about 250,000 users have switched to a different telecom provider following the data breach. He said that expects this number to reach 2.5 million, more than tenfold the current amount, if the company waives cancellation fees.
The company could lose up to $5 billion (around ₩7 trillion) over the next three years if it decides not to charge cancellation fees for users who want to cancel their contract early, Ryu said at the hearing.
“SK Telecom considers this incident the most severe security breach in the company’s history and is putting forth our utmost effort to minimize any damage to our customers,” a spokesperson at SKT told TechCrunch in an emailed statement. “The number of customers affected and the entity responsible for the hacking is under investigation,” the spokesperson added.
A joint investigation involving both public and private entities is currently underway to identify the specific cause of the incident.
The Personal Information Protection Committee (PIPC) of South Korea announced on Thursday that 25 different types of personal information, including mobile phone numbers and unique identifiers (IMSI numbers), as well as USIM authentication keys and other USIM data, had been exfiltrated from its central database, known as its home subscriber server. The compromised data can put customers at greater risk of SIM swapping attacks and government surveillance.
After its official announcement of the incident on April 22, SKT has been offering SIM card protection and free SIM card replacements to prevent further damage to its customers.
“We detected possible information leakage regarding SIM on April 19,” the spokesperson at SKT told TechCrunch. “Following the identification of the breach, we immediately isolated the affected device while thoroughly investigating the entire system.”
“To further safeguard our customers, we are currently developing a system that can protect users’ information through the SIM protection service while allowing them to use roaming services seamlessly outside of Korea by May 14,” the spokesperson said.
To date, SKT has not received any reports of secondary damage and no verified instances of customer information being distributed or misused on the dark web or other platforms, the company told TechCrunch.
A timeline of SKT’s data breach
April 18, 2025
SKT detected abnormal activities on April 18 at 11:20 pm local time. SKT found unusual logs and signs of files having been deleted on equipment that the company uses for monitoring and managing billing information for its customers, including data usage and call durations.
April 19, 2025
The company identified a data breach on April 19 in its home subscriber server in Seoul, which typically houses subscriber information, including authentication, authorization, location, and mobility details.
April 20, 2025
SKT reported the cyberattack incident to Korea’s cybersecurity agency on April 20.
April 22, 2025
SKT confirmed on its website that it detected suspicious activity, indicating a “potential” data breach involving some information related to users’ USIMs data.
April 28, 2025
SKT began replacing mobile SIM cards of 23 million users, but the company has faced shortages in obtaining sufficient USIM cards to fulfill its promise to provide free SIM card replacements.
April 30, 2025
South Korean police began investigating SKT’s suspected cyberattack on April 18.
April 30, 2025
South Korean police began investigating SKT’s cyberattack on April 30.
According to local media reports, many South Korean companies, including SKT, use Ivanti VPN equipment, and that the recent data breach may be connected to China-backed hackers.
Per a local media report, SKT said it received a cybersecurity notice from KISA instructing the company to turn off and replace the Ivanti VPN.
TeamT5, a cybersecurity company based in Taiwan, alerted the public to the worldwide threats posed by a government-backed group linked to China, which allegedly took advantage of vulnerabilities in Ivanti’s Connect Secure VPN systems to gain access to multiple organizations globally.
Some 20 industries have been affected, including automotive, chemical, financial institutions, law firms, media, research institutes, and telecommunications, across 12 countries, including Australia, South Korea, Taiwan, and the United States.
May 6, 2025
A team of public and private investigators discovered an additional eight types of malware in SKT’s hacking case. The team is currently investigating whether the new malware was installed on the same home subscriber server as the original four strains or if they are located on separate server equipment.
May 7, 2025
Tae-won Chey, the chairman of SK Group, which operates SKT, publicly apologized for the first time for the data breach, some three weeks after the breach occurred.
As of May 7, all eligible users have been signed up for the SIM protection service, except those living abroad using roaming services and temporarily suspended, the spokesperson told TechCrunch, adding that its fraud detection system has already been set up for all customers to prevent unauthorized login attempts using cloned SIM cards.
May 8, 2028
SKT is currently assessing how to handle the cancellation fees for users affected by the data breach incident. About 250,000 users have switched to another telecom provider following the breach, according to the company’s chief executive at a National Assembly hearing.
South Korean authorities, meanwhile, announced that 25 types of personal information were leaked from the company’s databases during the cyberattack.
