South Korea’s SK Telecom Hacking Scandal

 

Choi Tae-won, Chairman of SK Group, bows in apology during a daily briefing on the SK Telecom hacking incident held at the company’s headquarters in Jung-gu, Seoul, on May 7.

South Korea’s SK Telecom Hacking Scandal: Government Demands Penalty-Free Contract Termination

A major hacking incident involving SK Telecom, South Korea’s largest telecom operator, has triggered public outrage and a sweeping government response. On July 4, the Ministry of Science and ICT (MSIT) released the final report from a joint government-private investigation, revealing alarming security lapses and demanding that SKT waive termination fees for affected customers.

Massive Breach Exposed: Over 42,000 Servers Compromised

The investigation found that the cyberattack began as early as August 6, 2021—much earlier than previously known. Hackers installed malware on a server connected to SKT’s system administration network and eventually breached over 42,600 servers.

Critically, administrator credentials were stored in plaintext, without encryption—an egregious failure in basic cybersecurity practices. By December 2021, hackers had infiltrated SKT’s HSS (Home Subscriber Server), the core of voice authentication, and implanted 33 types of malware, including a Linux-based “BPFdoor” variant designed for stealth and long-term control.

In April 2024, hackers exfiltrated 9.82GB of USIM data, likely covering the entire customer base.

SKT Knew in 2022—But Stayed Silent

Shockingly, SK Telecom detected anomalies as early as February 2022, but chose not to alert the public. A server reboot raised red flags, but the company reviewed only one of six relevant log files, failing to identify the breach.

The investigation found further evidence of lax internal controls:

• No password changes or expiration policies on critical server accounts.

• Unencrypted storage of sensitive user data, including USIM authentication keys.

• Non-compliance with international encryption recommendations for telecom operators.

SKT also missed the 24-hour legal reporting window when the breach became undeniable in April 2024. The company later submitted servers in a condition that prevented proper forensic analysis, raising suspicions of data tampering.

Government Holds SK Telecom Accountable

The Ministry declared that SK Telecom’s gross negligence directly led to the breach. As such, it invoked Article 43 of SKT’s own user agreement, which requires waiving penalties when the company is at fault.

This announcement follows strong remarks from President Lee Jae-myung, who emphasized that “customers must not suffer damages due to corporate fault.”

The government warned SKT that refusal to comply could trigger corrective orders or even license revocation under the Telecommunications Business Act.

Legal advice from four different institutions backed the Ministry’s stance: waiving termination penalties is legally justified due to SKT’s breach of duty.

What’s Next: Government Action & SKT’s Response

The Ministry ordered SKT to submit a comprehensive security overhaul plan by the end of the month and pledged to audit implementation progress by year’s end. Key reforms include:

• Quarterly security checks across all IT assets

• Multi-factor authentication for all server access

• Direct reporting line between the CISO and CEO

• Retaining server logs for at least six months

On the same day, SK Telecom CEO Yoo Young-sang announced an immediate response package, accepting the penalty waiver for customers who terminated or will terminate their contracts by July 14.

The company also unveiled a ₩500 billion (~$360 million) “customer appreciation package”, including:

• 50% off August bills

• Monthly bonus data for all users

• ₩700 billion (~$500 million) in future cybersecurity investments

In addition, SKT pledged ₩10 billion (~$7 million) to a national cybersecurity fund to support the broader information security ecosystem in Korea.

Final Thoughts: A Wake-Up Call for the Industry

Minister Lee Jong-ho called the incident a wake-up call not just for telecom, but for all national network infrastructure. He pledged sweeping reforms to Korea’s cybersecurity landscape as the country seeks to become a “trusted AI powerhouse.”

The SK Telecom breach is a landmark case in digital accountability, highlighting the dangers of underestimating cyber threats in a hyper-connected world. Whether SKT’s response will be enough to rebuild public trust remains to be seen—but one thing is clear: corporate negligence now comes with a steep cost.