Summary:
South Korea's largest mobile network operator, SK Telecom, has confirmed that a data breach occurred that targeted the USIM (Universal Subscriber Identity Module) data of the users. The incident was traced back to a malware infection that infected the internal SK Telecom networks in the early hours of Saturday, 19 April 2025. USIMs are part of the mobile phones and store the confidential data of the subscriber, like the IMSI (International Mobile Subscriber Identity) and the encryption key that are employed to identify and authenticate the user and encrypt their communications.

Such data, if exploited, could be used to carry out SIM swapping, impersonation, or identity fraud. The infection was spotted and immediately eliminated by SK Telecom, and the infected device was quarantined. The situation was reported to the Korea Internet & Security Agency (KISA) and to the Personal Information Protection Commission. There is no proven evidence at this point that the stolen data has been maliciously exploited, but the cause of the infection and what data were accessed continues to be under investigation.

Security Officer Comments:
This incident is especially worrying since SK Telecom controls much of the South Korean mobile market—about 48% of subscribers use their services, roughly 34 million users. That level of penetration alone makes any compromise of this sort a threat to national security. That the firm moved to quickly stop the threat and alert the authorities is reassuring, but that malware managed to get past controls associated with core customer information raises questions around SK Telecom’s internal controls.

With the type of data that lies at risk—cryptographic keys and SIM identifiers—it’s possible sophisticated attacks could be staged. That could include SIM cloning or intercepting highly secure mobile communications. Even without proof of abuse, the incident serves to demonstrate just how much telecom infrastructure is a high-value target for cybercriminals and even, at least theoretically, nation-backed actors. It also highlights the importance of vigilant monitoring, regular audits, and investments in zero-trust architecture within them. SK Telecom’s openness so far is a positive development, but it’s critical that the firm continues to report back with more data made available.

Suggested Corrections:
In response to the incident, SK Telecom has adopted a range of measures to protect its users and tighten its defenses. The company has upgraded its security practices to detect and block illegal SIM swaps and suspect authentication requests—standard practices adopted in response to USIM data breaches. It’s also offering a free ‘SIM protection service’ to reportedly affected users, providing them with additional monitoring and alerts to SIM-based actions. The actions are meant to reduce the potential of unauthorized SIM use or unauthorized access linked to breached accounts.

SK Telecom has reported the incident to KISA and the Personal Information Protection Commission, as appropriate. The company is continuing to investigate the breach to determine exactly where and how the breach was made, what systems were hacked, and whether additional personal data was targeted. In the meantime, the firm’s users are advised to be mindful to any unusual mobile services related to their accounts and avail themselves of the free protection service now offered. Such mitigation steps are a robust starting point, but more will certainly be in store based upon the findings of its investigation.

Link(s):
https://securityaffairs.com/176802/data-breach/sk-telecom-data-breach.html