• SKT’s April 2025 breach exposed data of 23 million users, including sensitive SIM and authentication information.
  • The attack exploited critical telecom infrastructure, likely via VPN vulnerabilities, and is suspected to involve state-sponsored hackers.
  • The breach has led to mass SIM replacements, user exodus, and a comprehensive government and industry response.

SK Telecom, South Korea’s largest telco, suffered a massive data breach in April 2025 that exposed the personal data of 23 million users. The breach, believed to be the work of highly skilled, possibly state-sponsored hackers, triggered a nationwide response and ongoing investigations.

April 18, 2025:
SK Telecom (SKT) detects abnormal activity on its systems at 11:20 p.m. Unusual logs and deleted files are found on equipment monitoring customer billing and usage data.

April 19, 2025:
SKT identifies a breach in its Home Subscriber Server (HSS) in Seoul, which holds sensitive subscriber data including authentication keys, IMSI numbers, and USIM data. Malware is found on the critical server, indicating a sophisticated intrusion.

April 20, 2025:
SKT reports the cyberattack to Korea’s cybersecurity agency, KISA, and begins isolating affected systems.

April 22, 2025:
SKT publicly confirms the breach, warning users of potential USIM data exposure. The Personal Information Protection Committee (PIPC) is notified, and an emergency government response team is formed.

April 28, 2025:
SKT starts replacing SIM cards for 23 million users, but faces shortages. Over 70,000 users switched to rival carriers within two days of the announcement.

April 30, 2025:
South Korean police open an investigation into the cyberattack, and financial authorities tighten sector-wide security.

May 1, 2025:
Reports emerge linking the breach to vulnerabilities in Ivanti VPN equipment, possibly exploited by China-backed hackers. SKT receives official instructions to replace vulnerable VPN devices.

May 6, 2025:
Investigators discover eight more types of malware involved in the attack, deepening concerns about the breach’s sophistication.

May 7, 2025:
SK Group Chairman Chey Tae-won publicly apologised for the breach. As of this date, all eligible users are enrolled in SIM protection services, and SKT’s fraud detection systems are enhanced.

May 8, 2025:
SKT CEO Young-sang Ryu testifies that 250,000 users have switched providers, with up to 2.5 million expected to leave if cancellation fees are waived.

Authorities confirm that 25 types of personal data were leaked, including information that could enable SIM swapping and surveillance.

Aftermath and Attribution

The breach is considered the most severe in SKT’s history, with potential losses up to $5 billion if all affected users leave without penalty.

No group has claimed responsibility, but evidence points to a highly skilled, possibly state-sponsored actor, with speculation focusing on China-linked APTs exploiting VPN vulnerabilities.

Investigations continue, with no confirmed misuse of stolen data to date, but the incident has triggered a nationwide review of telecom security and customer protections.

Edited by Annette George