SK Telecom (SKT) has been directed to waive early termination fees for customers who have cancelled or will cancel their contracts between 19 April and 14 July, following a significant SIM hacking incident. The directive comes as part of the South Korean government’s final determination after a months-long investigation into the breach, which compromised data linked to nearly 27 million subscriber identification numbers (IMSIs).
The Ministry of Science and ICT announced on Friday that SKT bore responsibility for the incident, citing operational negligence and failure to uphold its contractual duty to provide secure communication services. In its final report, the Ministry concluded that SKT’s failures constituted a breach of service terms, entitling affected customers to financial relief.
Scope of the Breach
The breach, which began in August 2021, was only confirmed in April this year. Investigators found that hackers accessed SKT’s core network infrastructure, compromising 9.82 gigabytes of SIM data. This included 25 categories of information such as phone numbers and IMSIs, amounting to approximately 26.96 million records — effectively the entirety of SKT’s subscriber base.
An extensive inspection of SKT’s systems revealed 33 malware types, including 27 variants of BPFDoor — a sophisticated remote access tool designed to bypass standard authentication and monitoring protocols. The malware was discovered on 28 servers, an increase from earlier findings which identified 23 malware types on 23 servers.
Authorities believe the probability of further immediate damage remains low. Science Ministry Second Vice Minister Ryu Je-myung stated during a briefing that no additional harm, including SIM cloning, has been detected. He also confirmed that no leaks were identified among the 290,000 IMEIs stored within the customer management system during the log-covered period. However, due to missing log data covering two and a half years, the possibility of undetected breaches cannot be fully excluded.
Security Failures and Regulatory Breach
The investigation found that SKT failed to encrypt critical credentials and authentication keys, including those stored on its core voice authentication server (HSS). Hackers initially gained entry through a misconfigured server on a management network exposed to the internet. This server contained unencrypted credentials, enabling the attackers to access the HSS system directly.
These findings highlighted significant lapses in SKT’s security practices. Unlike its domestic competitors KT and LG U+, which encrypt SIM-related data in accordance with GSM Association guidelines, SKT stored sensitive authentication keys in plain text.
The government’s report also criticised SKT for its inadequate response to earlier signs of a breach. In February 2022, an abnormal reboot of an infected server was internally addressed without notification to authorities — a clear violation of the Information and Communications Network Act, which from 2024 will mandate breach reporting within 24 hours. Furthermore, SKT’s review of only one of six critical logs during this period resulted in a missed opportunity to detect the infiltration earlier.
“Had SKT examined the remaining logs, it could have confirmed that the HSS server had been compromised with BPFDoor malware,” Ryu said.
Company Response and Government Oversight
In response to the government’s findings, SKT convened an emergency board meeting. Chief Executive Ryu Young-sang confirmed the company would fully comply with the directive and waive early termination charges for affected customers.
The Science Ministry has ordered SKT to submit a comprehensive plan to prevent future incidents by the end of July. Authorities will conduct a follow-up review of the implementation measures in November or December.
-Korea JoongAng Daily
