Massive Data Breach at SK Telecom: 27 Million SIM Cards Compromised After 3-Year Undetected Hack

South Korea’s top telecom giant, SK Telecom, has confirmed a devastating data breach that went unnoticed for nearly three years. The cyberattack, which originated in mid-2022 but was only detected in April 2025, has compromised the USIM data of nearly 27 million users. With the breach affecting half the nation’s mobile subscribers, the scale and duration of the intrusion have sparked serious concerns about cybersecurity preparedness in critical infrastructure. Here’s a full breakdown of the unfolding situation, how it happened, and what it means going forward.

Here’s What Happened (Digest Summary – Approx. ):

SK Telecom, South Korea’s largest mobile network operator, revealed that a cyberattack dating back to June 2022 went undetected for almost three years, ultimately leading to the theft of sensitive SIM card data from nearly 27 million subscribers. The breach was discovered on April 19, 2025, when malware was detected within the company’s systems. This triggered an emergency response, including the isolation of infected equipment and an internal investigation.

Upon further examination, it was revealed that hackers had accessed highly sensitive data, including International Mobile Subscriber Identity (IMSI), USIM authentication keys, network usage logs, and even SMS messages and contact lists stored on SIM cards. This type of data is critical for enabling SIM-swapping attacks, which could allow attackers to impersonate victims, hijack phone numbers, and access two-factor authentication services.

To contain the damage, SK Telecom announced that it would issue SIM replacements for all affected customers and implement automatic security enhancements to guard against unauthorized device changes and number porting. On May 8, a government investigative committee disclosed that 25 types of data had been compromised. SK Telecom, overwhelmed by the magnitude of the breach, even halted new customer registrations to focus on managing the crisis.

In an update issued yesterday, the company admitted that 26.95 million users were affected, with the malware spreading across 23 compromised servers, each running Linux. An investigation by a joint public-private cybersecurity team found that the initial infection occurred on June 15, 2022, via a web shell. From that point forward, attackers stealthily deployed multiple malware payloads, leaving 15 servers housing customer data—including 291,831 IMEI numbers—exposed.

SK Telecom, however, disputed that specific IMEI data was accessed. The company also admitted that logging on the affected servers only began on December 3, 2024, meaning that any unauthorized access between June 2022 and that date likely went unnoticed. Despite this, SK Telecom insists that current security systems are effectively blocking all known malicious activities and reiterated its commitment to assume full responsibility for any user damages.

What Undercode Say: (Analytical Commentary – Approx. 40 Lines)

This incident isn’t just a technical failure. It’s a glaring red flag in the realm of telecom cybersecurity. When a breach remains hidden for three years, involving the compromise of personal data from nearly half a country’s mobile users, it becomes a matter of national concern and not just corporate embarrassment.

First, this breach underscores a massive failure in monitoring and threat detection. SK Telecom is a major player in the telecommunications sector with deep resources and infrastructure. Yet, malware infiltrated their systems as far back as mid-2022, and they only began logging server activity in December 2024. That’s over two years of complete blind spots. In cybersecurity terms, that’s an eternity.

Second, the type of data compromised is particularly troubling. The leak includes IMSI numbers, SIM authentication keys, and even personal contact lists and SMS data. This kind of information enables advanced attack vectors like SIM-swapping, which can be used to hijack online identities, drain bank accounts, or bypass 2FA protections. For affected users, the implications extend far beyond privacy — it’s a direct threat to financial and digital security.

From a strategic standpoint, SK Telecom’s decision to halt new user registrations reflects the severity of the crisis. It signals that the breach has strained internal systems and diverted resources toward mitigation and damage control. It also reveals how ill-prepared even top-tier firms can be when hit with prolonged stealth attacks.

Moreover, the discovery that 23 Linux servers were compromised reveals a targeted and methodical operation by attackers who likely understood the infrastructure intimately. The use of a web shell as an entry point is a classic method, but the success of this attack shows the absence of proper patching, endpoint detection, or segmentation in the network architecture.

Interestingly, SK Telecom denies some parts of the findings, particularly around the IMEI leaks. This may be a legal maneuver or an attempt to reduce liability, but it further complicates public trust. As users await full transparency, the company is walking a fine line between damage control and accountability.

This breach will likely serve as a wake-up call for the global telecom sector. It shows how legacy systems, lack of real-time monitoring, and delayed response mechanisms can lead to long-term, large-scale compromises. More importantly, it raises questions about government oversight, given that this breach persisted in a company so closely linked to national infrastructure.

Fact Checker Results ✅

🔍 The malware was indeed present since June 2022, confirmed by the joint public-private investigation.

📊 SK Telecom confirmed 25 data types were exposed, with USIM data being the primary concern.

📱 Although IMEI leakage is disputed by SK Telecom, external investigations claim it occurred.

Prediction 📡

The fallout from this breach is far from over. As investigations continue, more user data may be confirmed compromised, leading to potential lawsuits and regulatory fines. Expect South Korea to introduce stricter cybersecurity mandates for telecom firms in the coming months. SK Telecom may also fast-track AI-based threat detection tools and collaborate with international cybersecurity experts to rebuild its defense posture and restore consumer trust.