In April 2025, SK Telecom—South Korea’s largest mobile carrier—formally notified regulators of a significant data breach that compromised sensitive SIM card data belonging to nearly 27 million users. Following an investigation, the Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) concluded in July 2025 that SK Telecom was negligent in its account information management practices and in complying with its breach reporting obligations. As a result, the company was fined 30 million won (approx. $22,000).
What Happened?
An unauthorized third party infiltrated SK Telecom’s systems and deployed a sophisticated malware strain known as BPFDoor. This backdoor tool exploits the Berkeley Packet Filter (BPF) feature in Linux systems, allowing attackers to bypass traditional security mechanisms. The malware was discovered on at least 28 servers, with 33 distinct variants identified. The breach is believed to be the work of an advanced persistent threat (APT) group, potentially linked to Chinese or North Korean actors, although definitive attribution has not been established.
What Data Was Stolen?
The attackers accessed and exfiltrated Universal Subscriber Identity Module (USIM) data, including:
- Subscriber phone numbers
- International Mobile Subscriber Identity (IMSI) numbers
- Authentication keys
- Management data used in SIM processing
While SK Telecom initially asserted that no personally identifiable information (PII) such as birth dates or payment data had been compromised, subsequent reports confirmed that some names and birth dates were indeed accessed. As of the date of publication, there is no confirmed evidence of misuse of the stolen data.
What Was the Government’s Response?
Upon receiving notification of the breach, the Ministry of Science and ICT and KISA launched a formal investigation. The findings revealed that SK Telecom had been aware of potential system compromise as early as 2022 but failed to report the incident in a timely manner. The investigation concluded that the company’s breach reporting and account information management practices were inadequate.
In addition to the financial penalty, SK Telecom was ordered to:
- Provide free SIM card replacements to all affected users
- Waive early termination fees for customers wishing to switch providers
- Undergo quarterly cybersecurity audits
- Implement enhanced internal cybersecurity protocols
As part of its remediation efforts, SK Telecom has since launched an ‘Accountability and Commitment Program’ and committed approx. $514 million to bolster its security infrastructure.
Key Takeaways for Companies
- Incident Response Speed Matters
Timely detection and disclosure are critical in mitigating the impact of a data breach. In SK Telecom’s case, delayed reporting contributed to regulatory penalties and reputational harm. Organizations must maintain a well-practiced incident response plan that includes early threat detection, clear escalation procedures, and predefined communication strategies—particularly for notifying regulators and affected stakeholders.
- Transparency Builds Trust
Transparency is not only a regulatory requirement but also a cornerstone of customer trust. While SK Telecom initially downplayed the breach’s severity, it later had to revise its public statements. Although the company’s subsequent actions—such as offering free SIM replacements and waiving termination fees—helped mitigate some reputational damage, the initial lack of clarity undermined public confidence. Companies should strive for timely, accurate, and transparent communication, while balancing it with the evolving nature of incident investigations.
- Security is a Board-Level Issue
Cybersecurity must be treated as a strategic business risk, not merely a technical concern. The SK Telecom breach exposed significant governance failures, including prolonged undetected access and a lack of regulatory reporting. This has prompted calls for greater executive accountability. Boards should ensure that cybersecurity is embedded into enterprise risk management, with regular briefings, adequate budget allocation, and direct board access for CISOs. Cyber resilience must be a shared responsibility across all leadership levels.
