my timesThe Korea Times
  1. Opinion

It was just a SIM card — until 27 million of us got hacked

Listen
By Chyung Eun-ju (By Chyung Eun-ju and Joel Cho)
  • Published KST
  • Updated KST
Chyung Eun-ju

Chyung Eun-ju

It started with a telecom breach. Then, a payment app glitched. Following the glitch, our favorite bookstore went dark. Just last month, a Cybernews report revealed a massive leak of more than 16 billion login credentials — including Google, Facebook and Apple accounts. Now, we’re left wondering: Is our digital world too fragile?

Our tech keeps failing, but our memories keep on faltering. It almost seems that the more technological advancements that occur, the more we forget.

Back in April this year, SK Telecom, South Korea’s largest mobile carrier, was hit by a silent cyberattack. It wasn’t loud or dramatic — but it was serious. Malware infected their systems and leaked data from over 27 million users. That includes unique identifiers like SIM, IMSI and IMEI numbers — the core of how phones connect to networks.

These details aren't as easy to change as a password. They’re tied to your phone — and by extension, your bank, your ID and your location.

If that kind of information can be taken so quietly, what else have we overlooked?

We used to rely on autofill and fingerprint logins. Now, we’re learning our passwords again. Most people have probably lost count of how many times they had to recover their passwords in the last few years. Digital dependency has been ingrained in us since childhood — from saving homework on floppy disks in elementary school to chatting on MSN Messenger or Cyworld after class.

Most of us grew up syncing our memories to devices, so it’s no surprise that trying to live without technology now feels disorienting. Our memory doesn’t work the way it used to because for most of our lives, it didn’t have to.

After we became aware of SK Telecom's data breach, we found ourselves Googling how to check if our USIM data had been leaked — even though, deep down, we knew there wasn’t much we could do. We texted friends about it. Most hadn’t even heard the news. Somehow, that made it feel worse.

Joel Cho

Joel Cho

Some joked about how breaches are just part of modern life now. But under the surface, it felt different this time — not because of what was taken, but because of how quietly it happened and how little noise there was for something that touched nearly every smartphone user in the country.

But here’s what surprised us most: Just weeks after the SK Telecom breach that compromised sensitive data from over 27 million users, the company was chosen as the preferred bidder for a major government-funded GPU project aimed at advancing artificial intelligence (AI) in Korea.

That might sound like a win for innovation, except for one detail: SK Telecom still doesn’t have CSAP certification, the government’s own standard for cloud security. CSAP, or the Cloud Security Assurance Program, is a government-run certification system meant to ensure cloud providers meet rigorous standards for cybersecurity. Until recently, it was mandatory for any company bidding on sensitive state tech projects. And yet, SK Telecom beat out competitors who spent months, even years, securing that certification just to qualify for projects like this.

“Why would a company that just suffered a large-scale hacking incident and lacks official security clearance be trusted to run a cornerstone of Korea’s AI future?” an industry official asked. We were left wondering the same thing.

The GPU project isn’t small. It’s backed by over 150 billion won in taxpayer funding and is central to Korea’s push to stay competitive in AI. These aren't just cloud rentals — they’re the digital foundation for everything from Korean-made chatbots to next-generation automation tools.

However, the breach seems to have barely been a speed bump in SK's operations. There was no pause, no public review and no visible change in course. In an industry where trust should be earned, SK Telecom was rewarded with more responsibility, not less. That’s not just a tech policy issue — that’s a cultural and even a political one.

This moment highlights a deeper issue: Our systems reward speed and scale over caution and transparency. There’s no real mechanism for public accountability, just the expectation that users will keep scrolling, keep spending and keep syncing. But when tech fails quietly, it undermines trust loudly.

SKT wasn’t the only red flag. In the weeks that followed, Toss, a widely-used fintech app, went down. Then Yes24, Korea’s leading online bookstore, crashed. These aren’t just bugs — they’re signals.

One by one, the digital services we assumed would “just work” stopped working. And the scariest part? We have no backup plan.

But this is bigger than just a telecom or a government decision. It’s about how we, as users, are constantly asked to move on while the systems we rely on grow more complex and less accountable.

We're building the future of AI on foundations that are already cracking.

The danger isn’t just the breach, it’s the reaction to it. Or more often, the lack of one. When breaches become routine, we risk turning them into background noise. A headline, a shrug and then silence. But it is important to not lose sight that each breach represents millions — sometimes billions — of people whose data has been exposed, manipulated or sold. We can’t afford to let this become normal.

It’s not just about technical failures, it’s about responsibility. Companies, especially those operating at the scale of big techs and telecom giants, must be held to higher standards, not just after a breach but long before one happens. Regulatory oversight, transparency and public accountability should not be optional — they should be essential, especially when these platforms handle important fragments of the infrastructure of our daily lives.

This matters even more in a world where our lives are becoming more and more digital. It is undeniable that for most of us, our relationships, conversations, banking, work and even our identities now live online. Social interactions that once took place face-to-face now play out in instant messaging apps, video calls and social platforms. The more we digitize ourselves, the more we depend on systems that are too often vulnerable, opaque and unprepared.

When we fail to treat data breaches with the seriousness they deserve, we don’t just risk our individual privacy but also systemic trust. The danger accumulates over time as stolen identities fuel scams, leaked credentials enable further attacks and exposed information can be weaponized in unimaginable ways. Without serious accountability, companies have little incentive to invest in real security and users are left more vulnerable with each incident that occurs. Ignoring these breaches doesn’t make them go away. It makes them easier to repeat.

We’re not against technology. We just think we’ve lost sense of how much we’re handing over. Trust, once broken, doesn’t reboot with a software update.

Chyung Eun-ju (ejchyung@snu.ac.kr) is a tech research associate at Donghyun ASP. She earned both her bachelors in business and masters in marketing from Seoul National University. Joel Cho (joelywcho@gmail.com) is a practicing lawyer specializing in IP and digital law.