On May 6, SK Group Chairman Chey Tae-won issued a public apology following a massive data breach at SK Telecom (SKT), South Korea’s largest mobile carrier. SKT first notified some users of a breach on April 19, just a day after the attack. However, most users remained unaware until April 24, when SKT confirmed to the press that its Home Subscriber Server had been compromised by a backdoor malware attack.

The data breach occurred due to a BPFDoor hacking module that had been installed on the system through an unknown route. BPFDoor is a utility software designed to analyze network packets that the server receives through the internet, which was abused by the hacking module to install dormant malware.

Further investigation revealed the scale of the attack to be significantly greater than initially anticipated. According to a joint report by the Ministry of Science and ICT and the Korea Internet & Security Agency (KISA), the attackers accessed data from at least 2,694 million Universal Subscriber Identity Module (USIM) entries. This includes a range of devices, including smartphones, smart watches, corporate lines, and IoT devices. Authorities also discovered that around 290,000 unique IMEI numbers – used to identify devices – were found in leaked data files, raising heavy concerns.

Amongst other data leaked from the Home Subscriber Server, the biggest problem may be the “Ki value.” Ki value is a secret key used in authentication algorithms that is unique to every USIM card and stored on both the user’s USIM card and the operator’s database. The Ki allows the operator and the user to authenticate each other, and the leakage of this value, combined with other leaked information, can be utilized by hackers in cloning user USIM cards.

Such cloned USIM cards can be potentially used by hackers to impersonate a user and gain access to the user’s mobile verification methods. This gives them access to any account where the USIM card is used as a method of recovery or access, like banking apps, corporate emails, and stock trading platforms. Although experts are dismissive about the reality of cloned phones, the slim chance of misfortune keeps many SKT customers on their toes; communication research company Consumer Insight has reported that 73% of SKT customers are concerned by the aftereffects of the incident, namely financial fraud and identity theft among many.

SKT has responded with two main solutions, though neither has gone over particularly well with the public. First, they launched what they call the “USIM Protection Service”. It uses a secondary key linked to your mobile device to make sure the USIM card is still in the original phone and hasn’t been copied or moved. SKT says over 2 million customers signed up for the service within two days of launch. However, if that secondary key was also leaked – something the company claims didn’t happen – the service might not offer real protection.

Their second move was to offer free SIM card replacements to all 23 million subscribers. This is the most straightforward fix since swapping out a compromised SIM cuts off access to the old key. But even that didn’t go smoothly. As of late April, SKT reportedly had only about 1 million replacement SIMs in stock. Hence many users who tried to get a replacement ended up visiting multiple stores, only to be turned away and repeatedly told to wait for a restock. Some gave up and switched to competitors like KT or LG U+. On May 5, SKT temporarily paused new customer registrations altogether to focus on replacing compromised SIMs for current users.

Meanwhile, forensic investigators identified a total of 25 distinct malware strains involved in the breach, some of which are believed to have been present as early as June 2022—nearly three years before their discovery. This raised serious concerns regarding SKT’s capacity for detecting malicious code and its long-term monitoring effectiveness, while also suggesting the possibility of additional data leaks or attacks that may have gone undetected.

The fallout from SK Telecom's data breach has sparked a wave of legal action from affected customers. As of May 22, over 34,000 individuals have joined class-action lawsuits organized by approximately 10 law firms, seeking compensation ranging from 300,000 to 1 million won per person. These legal actions allege that SKT's inadequate security measures and delayed response to the breach constitute gross negligence. If courts find that SKT failed to comply with mandatory safety protocols, the company could face punitive damages beyond standard compensation. The growing legal pressure reflects widespread public dissatisfaction and a demand for accountability from the telecom giant.

Data breaches aren’t new in Korea’s telecom industry, but this one is completely unprecedented in scale and potential damage. In the end, no system is bulletproof – but how a company handles a crisis speaks volumes. Transparency, fast response, and accountability can help preserve trust. Unfortunately for SKT, this incident has many questioning whether convenience is worth the risk. Switching providers might not prevent all future breaches, but it does send a clear message: trust is hard to earn, and once it’s lost, it’s even harder to win back.