A major security incident at SK Telecom, South Korea’s leading telecom company, may have compromised the personal data of close to 27 million users, according to findings from a collaborative investigation between government authorities and private sector specialists. This breach ranks among the largest in the nation’s telecommunications history.
The Ministry of Science and ICT revealed on Monday that about 27 million international mobile subscriber identity (IMSI) units were compromised in the cyberattack, which began in 2022. The findings were shared during an interim press briefing following ongoing forensic and log analyses.
The breach was uncovered on April 18, 2025, but investigators believe the malware was first installed on SK Telecom’s servers as early as June 15, 2022. The scope of the attack widened as authorities found that 23 servers were compromised—up from the initial five revealed in late April. This discovery follows SK Telecom’s recent rollout of its “SIM Reset” security measure to prevent SIM card cloning.
The investigation uncovered 25 distinct types of malware on 15 compromised servers, featuring 24 versions of the covert BPFDoor backdoor and a single WebCell variant. An additional eight servers remain under scrutiny. The breach exposed approximately 9.32 gigabytes of USIM data, containing nearly 26.9 million international mobile subscriber identity (IMSI) numbers, which play a critical role in mobile authentication and financial transactions.
Two compromised servers acted as temporary repositories for sensitive personal data, including subscriber names, birthdates, phone numbers, email addresses, and nearly 292,000 international mobile equipment identity (IMEI) numbers. IMEI numbers serve as unique device identifiers used increasingly for mobile security and authentication. SK Telecom currently serves approximately 25 million subscribers, including users of budget phone plans.
Authorities noted that no data leakage occurred between December 2, 2024, and April 24, 2025; however, they were unable to verify any breaches from June 2022 to December 2024 due to missing firewall logs. Public concerns have grown around the compromised IMEI data, though experts and manufacturers assert that cloning devices using IMEI numbers alone is technically impractical.
Ryu Je-myung, Deputy Minister of the Office of Network Policy, emphasized the seriousness of the breach, noting that the malware and tactics used require a far more advanced level of investigation than previous incidents. While no damages have been reported, concerns over phone cloning persist, although manufacturers maintain that creating duplicate devices using only leaked IMEI numbers is technically infeasible. Cybersecurity experts caution that this case should be viewed beyond a simple data leak, urging thorough analysis to prevent more severe threats in the future.
