SKT's customer protection promise undermined by USIM shortage

SK Telecom users line up in front of a retail store in Seoul to replace their USIM cards, Tuesday. Yonhap

SK Telecom’s pledge to replace the universal subscriber identity module (USIM) chips of its 23 million subscribers following a recent customer data breach is faltering due to a supply shortage.

The exact scope of the damage has yet to be identified, but the government announced Tuesday that it had confirmed the breach involved four types of information that could potentially be used for USIM cloning.

The government also said that the breach did not involve the codes used for identifying mobile devices, meaning that fraud through USIM cloning or swapping can be prevented through SK Telecom’s USIM protection program.

However, consumer confusion persists over USIM replacement, as both the company and experts continue to recommend it as the most effective way to prevent potential misuse of personal information, even as the supply of new USIM cards falls far short of surging demand.

An investigation team from the Ministry of Science and ICT said it had examined five SK Telecom servers showing signs of attack and confirmed that the compromised data included four types of information, including subscriber phone numbers and International Mobile Subscriber Identity codes.

Contrary to initial speculation, the investigation team found that the leaked data does not include International Mobile Equipment Identity (IMEI) codes, a 15-digit number assigned to all cellular-enabled devices to verify whether a device matches its USIM.

Following the breach, SK Telecom has urged customers to subscribe to its USIM protection service, which blocks a USIM from connecting to the network if the IMEI code or other identifier data sets do not match.

The Ministry of Science and ICT said the USIM Protection Service “offers a similar level of protection” compared to USIM card replacements and urged the public to apply for the service.

An official at SK Telecom said, however, that it will continue its free USIM replacement program as planned, regardless of the investigation result, adding that the company will spare no efforts to protect customers.

SK Telecom headquarters in Jung District, Seoul, April 22 / Yonhap

Despite the pledge, customer confusion and inconvenience are expected to persist, as the number of USIM cards available falls far short of SK Telecom’s total user base, and securing a large additional supply in a short period remains challenging.

According to the telecom, a total of 391,000 people had replaced their USIMs as of 6 p.m. Tuesday, accounting for approximately 1.7 percent of the total number of SK Telecom subscribers.

After the telecom operator began offering free USIM replacements on Monday, lines formed at multiple SK Telecom retail stores the following day. It remains unclear when many customers will actually receive replacements — which both the company and experts continue to recommend as the most effective safeguard against potential cybercrimes.

SK Telecom is using currently an online reservation system to ease expected confusion at its retail stores. However, users faced further inconvenience as the reservation system also required user data collection, and there remained only a limited number of USIM available at retail stores.

The telecom said it has about 1 million USIM cards in stock and will be able to secure an additional 5 million by the end of May. Including 1.87 million subscribers on budget-friendly plans through mobile virtual network operators, the company needs to provide up to 25 million USIM cards.

According to industry officials, four companies are supplying USIM cards to SK Telecom — XCURE, UBIVELOX, Thales and SK Telink.

After announcing its free USIM replacement plan last week, SK Telecom requested suppliers increase the volume of cards, but it remains uncertain whether they can ramp up production capacity sufficiently on such short notice.

“As we have experienced in other supply shortage cases, increasing the production capacity in a period of time is very difficult due to the supply chain,” an industry official said.

“Manufacturing USIM cards also involves a supply chain across chips, software and card bodies … Each player in the USIM supply chain is in coordination to ramp up production."

As the supply shortage is unlikely to be addressed in the near future, SK Telecom said it is now developing ways to "reset USIM," but added that this will also require customers visit its stores.

Securing USIM cards from other telecom operators is not an option. Industry sources said that each of the three major carriers — SK Telecom, KT and LG Uplus — has different certification processes, and the information preloaded onto the USIM cards is different, making them incompatible with one another.

Minister of Science and ICT Yoo Sang-im told the National Assembly on Tuesday that SK Telecom will face "due punishment" for reporting the incident about a day later than required.

According to People Power Party Rep. Choi Soo-jin, SK Telecom first detected signs of suspicious data movement at 6 p.m. on April 18 and confirmed a cybersecurity breach by 11 p.m. the same day. However, the company reported the breach two days later, at 4 p.m. on April 20, violating the requirement to notify the Korea Internet & Security Agency within 24 hours of recognizing a cyberattack.