27 mil. user records leaked in SK Telecom data breach

A sign apologizing for a massive data breach is displayed at an SK Telecom store in Seoul, Wednesday / Yonhap

Approximately 27 million user information records were confirmed to have been compromised in a major cyberattack on SK Telecom last month, the government-private sector investigation team announced, Monday.

The figure surpasses SK Telecom’s total customer base of 25 million, with new findings showing that malware was also detected on servers that stored users’ device identifiers, likely making the incident one of the worst telecom security breaches in the country’s history.

According to the investigation team, a forensic analysis of around 30,000 of SK Telecom's Linux-based servers revealed that 23 had been infected. Investigators identified 25 different types of malware during the probe.

The leaked data amounts to 9.82 gigabytes and includes 26.95 million records, primarily containing International Mobile Subscriber Identity (IMSI) data — a critical identifier used to authenticate users on mobile networks.

Along with IMSI, the team also reported that approximately 290,000 International Mobile Equipment Identity (IMEI) data records were stored in two compromised servers, raising concerns about the potential for cloning users' universal subscriber identity module (USIM) data or other cybercrimes using the leaked data.

IMEI is a 15-digit number assigned to all cellular-enabled devices to verify whether a device matches its USIM. To create a cloned phone, called USIM cloning, not only IMSI but also the device’s IMEI and a duplicated USIM card are required.

In an initial investigation last month, the team stated that IMSI and USIM data were leaked, but no IMEI data had been compromised. However, the latest findings confirmed that two of the infected servers contained sensitive personal information, including IMEI numbers, names, dates of birth, phone numbers and email addresses.

The team noted that firewall log records from Dec. 3 last year to April 24 did not detect and confirm any data breaches. However, they added that the malware was first installed on June 15, 2022, and it remains unclear whether any data was leaked between that date and Dec. 2, 2024.

The team and SK Telecom initially said that the possibility of cybercrimes such as USIM cloning or swapping was extremely low because IMEI data was not compromised. However, with fresh findings showing that the possibility of an IMEI data breach cannot be ruled out, concerns are mounting that attackers could potentially clone USIM cards and use them in other devices for illegal activities.

Regarding the concerns, the government said in a press briefing that even in the worst-case scenario of an IMEI data leak, creating a cloned phone would still be difficult.

“According to manufacturers, cloning or creating ‘twin phones’ is fundamentally impossible with leaked 15-digit IMEI data,” said Ryu Je-myung, head of the Ministry of Science and ICT’s Office of Network Policy.

“SK Telecom has completed technical enhancements in its fraud detection system. Even if a twin phone were somehow created, it would be fully blocked from accessing the network.”

Ryu, however, added that the government has also urged SK Telecom to come up with compensation measures in case of any further problems for users, because no system can be guaranteed 100 percent failproof.

SK Telecom also said in a separate press briefing on Monday that “cloning a phone is virtually impossible” and its fraud detection system is “blocking all network access attempts from cloned phones.”

Choi Woo-hyuk, information protection network policy officer at the Ministry of Science and ICT, speaks during a press briefing on SK Telecom’s data breach at Government Complex Seoul, Monday.

Who's behind attack?

Along with the scope of damage, the team also confirmed that the types of malware used in the data breach included BPFDoor and a web shell.

BPFDoor is a type of malware that global cybersecurity experts have been warning about since 2022. It is a backdoor malware that targets Linux systems, often going undetected for long periods to infect servers without alerting security systems.

According to a number of cybersecurity reports, including a May 13 report by domestic security firm PIOLINK, BPFDoor has been primarily used by China-based hacking group Red Menshen. The group has continuously improved the malware since 2021, and after its source code was leaked in 2022, it became possible for anyone to create modified variants, making it difficult to pinpoint the exact perpetrator.

Trend Micro, a U.S.-based security firm, said in its April 14 research that BPFDoor is “a state-sponsored backdoor designed for cyberespionage activities,” and Red Menshen’s BPFDoor attacks “zero in on the telecommunications, finance and retail sectors, with attacks observed in South Korea, Hong Kong, Myanmar, Malaysia and Egypt.”

Given that the attackers behind the SK Telecom breach have not made any ransom demands, industry officials suspect that the attack was motivated by political or military purposes, because SK Telecom serves a critical role in the country’s telecommunications infrastructure.

"BPFDoor is a tool commonly used by Chinese hacking groups as part of broader operations aimed at planting malware in financial institutions, telecom networks and other national critical infrastructure," Lim Jong-in, distinguished professor at Korea University's School of Cybersecurity and special adviser on cybersecurity to the president, told The Korea Times.

"If the attackers had been financially motivated, personal data from the breach would likely have already surfaced on the dark web. Framing this solely as a data leak incident misses the bigger picture. The government must analyze the attackers’ motives and respond accordingly through international cybersecurity cooperation, particularly with the United States."