A timeline of South Korean telco giant SKT’s data breach

In April, South Korea’s telco elephantine SK Telecom (SKT) was deed by a cyberattack that led to the theft of idiosyncratic information connected astir 23 cardinal customers, equivalent to astir fractional of the country’s 52 cardinal residents.

At a National Assembly proceeding successful Seoul connected Thursday, SKT main enforcement Young-sang Ryu said astir 250,000 users person switched to a antithetic telecom supplier pursuing the information breach. He said that expects this fig to scope 2.5 million, much than tenfold the existent amount, if the institution waives cancellation fees.

The institution could suffer up to $5 cardinal (around ₩7 trillion) implicit the adjacent 3 years if it decides not to complaint cancellation fees for users who privation to cancel their declaration early, Ryu said astatine the hearing.

“SK Telecom considers this incidental the astir terrible information breach successful the company’s past and is putting distant our utmost effort to minimize immoderate harm to our customers,” a spokesperson astatine SKT told TechCrunch successful an emailed statement. “The fig of customers affected and the entity liable for the hacking is nether investigation,” the spokesperson added.

A associated probe involving some nationalist and backstage entities is presently underway to place the circumstantial origin of the incident. 

The Personal Information Protection Committee (PIPC) of South Korea announced connected Thursday that 25 antithetic types of idiosyncratic information, including mobile telephone numbers and unsocial identifiers (IMSI numbers), arsenic good arsenic USIM authentication keys and different USIM data, had been exfiltrated from its cardinal database, known arsenic its location subscriber server. The compromised information tin enactment customers astatine greater hazard of SIM swapping attacks and authorities surveillance.

After its authoritative announcement of the incidental connected April 22, SKT has been offering SIM paper extortion and escaped SIM paper replacements to forestall further harm to its customers.

“We detected imaginable accusation leakage regarding SIM connected April 19,” the spokesperson astatine SKT told TechCrunch. “Following the recognition of the breach, we instantly isolated the affected instrumentality portion thoroughly investigating the full system.”

“To further safeguard our customers, we are presently processing a strategy that tin support users’ accusation done the SIM extortion work portion allowing them to usage roaming services seamlessly extracurricular of Korea by May 14,” the spokesperson said.

To date, SKT has not received immoderate reports of secondary harm and nary verified instances of lawsuit accusation being distributed oregon misused connected the acheronian web oregon different platforms, the institution told TechCrunch.

A timeline of SKT’s information breach

April 18, 2025

SKT detected abnormal activities connected April 18 astatine 11:20 pm section time. SKT recovered antithetic logs and signs of files having been deleted connected instrumentality that the institution uses for monitoring and managing billing accusation for its customers, including information usage and telephone durations.

April 19, 2025

The institution identified a information breach connected April 19 successful its location subscriber server successful Seoul, which typically houses subscriber information, including authentication, authorization, location, and mobility details.

April 20, 2025

SKT reported the cyberattack incidental to Korea’s cybersecurity agency connected April 20.

April 22, 2025

SKT confirmed connected its website that it detected suspicious activity, indicating a “potential” information breach involving immoderate accusation related to users’ USIMs data.

April 28, 2025

SKT began replacing mobile SIM cards of 23 cardinal users, but the institution has faced shortages successful obtaining capable USIM cards to fulfill its committedness to supply escaped SIM paper replacements.

April 30, 2025

South Korean constabulary began investigating SKT’s suspected cyberattack connected April 18.

April 30, 2025  

South Korean police began investigating SKT’s cyberattack connected April 30.

According to section media reports, galore South Korean companies, including SKT, usage Ivanti VPN equipment, and that the caller information breach whitethorn beryllium connected to China-backed hackers.  

Per a section media report, SKT said it received a cybersecurity announcement from KISA instructing the institution to crook disconnected and regenerate the Ivanti VPN.

TeamT5, a cybersecurity institution based successful Taiwan, alerted the nationalist to the worldwide threats posed by a government-backed group linked to China, which allegedly took vantage of vulnerabilities successful Ivanti’s Connect Secure VPN systems to summation entree to aggregate organizations globally. 

Some 20 industries person been affected, including automotive, chemical, fiscal institutions, instrumentality firms, media, probe institutes, and telecommunications, crossed 12 countries, including Australia, South Korea, Taiwan, and the United States.

May 6, 2025  

A squad of nationalist and backstage investigators discovered an further 8 types of malware successful SKT’s hacking case. The squad is presently investigating whether the caller malware was installed connected the aforesaid location subscriber server arsenic the archetypal 4 strains oregon if they are located connected abstracted server equipment.

May 7, 2025  

Tae-won Chey, the president of SK Group, which operates SKT, publically apologized for the archetypal time for the information breach, immoderate 3 weeks aft the breach occurred.

As of May 7, each eligible users person been signed up for the SIM extortion service, but those surviving overseas utilizing roaming services and temporarily suspended, the spokesperson told TechCrunch, adding that its fraud detection strategy has already been acceptable up for each customers to forestall unauthorized login attempts utilizing cloned SIM cards.

May 8, 2028

SKT is presently assessing however to grip the cancellation fees for users affected by the information breach incident. About 250,000 users person switched to different telecom supplier pursuing the breach, according to the company’s main enforcement astatine a National Assembly hearing. 

South Korean authorities, meanwhile, announced that 25 types of idiosyncratic accusation were leaked from the company’s databases during the cyberattack.