In April 2025, SK telecom, South Korea’s largest mobile carrier, experienced a major security breach when its internal systems were infected with malware, resulting in the leak of USIM (Universal Subscriber Identity Module) information for approximately 23 million subscribers. This incident has sparked widespread distrust in the security of telecommunications infrastructure and has once again raised alarms about the importance of personal data protection across society.
Leaked USIM information and the risk of secondary damage
SK telecom admitted that several of its servers were compromised by external hacking, leading to a malware infection and a subsequent data breach involving large volumes of USIM-related information. The leaked data included unique USIM identifiers (UIDs), device information, and network authentication values. Unlike names or phone numbers, this is considered highly sensitive security data used directly in telecommunications and authentication systems.
Such data plays a critical role in verifying user identity and securing mobile communications. According to the chairman of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, in the worst case scenario, up to 9.7 gigabytes of internal documents were compromised, suggesting a significant and potentially far-reaching breach. If exploited by malicious actors, this information could be used for serious crimes such as opening duplicate mobile accounts, intercepting text messages, or bypassing bank account authentication systems.
SK telecom and government response
Recognizing the gravity of the incident, SK telecom initiated an emergency response plan. The company began offering free USIM replacements to all subscribers and committed to refunding customers who had already paid out of pocket for replacements. In addition, a “USIM Lock” service is being automatically applied to all users to prevent replication of USIM data. To focus resources on the replacement process, SK telecom also temporarily suspended new customer sign-ups at its 2,600 T World stores nationwide starting May 5th. This is considered an unprecedented measure for a telecom company and reflects the pressure on the company to swiftly restore customer trust by overhauling its internal security systems.
However, SK telecom’s response has been criticized on several fronts. Most notably, there was a significant delay between the detection of the breach and the public announcement, leaving many customers unaware of the incident while continuing to use the service. Some users reported experiencing suspicious activities such as smishing attempts and OTP (one-time password) verification failures. Furthermore, the company failed to provide individualized notifications to the affected users, fueling further dissatisfaction. Additionally, the free USIM replacement policy itself has drawn criticism for its limited effectiveness and the chaos it caused in the field. Customers faced long wait times of several hours at T World stores or had to leave without service due to limited appointment availability. Elderly individuals, people with disabilities, and residents in rural areas struggled with accessibility. USIM stock shortages forced some to visit multiple stores to get a replacement. Most critically, replacing the USIM does not fully prevent the misuse of already-leaked data, exposing the limitations of this measure.
The government has also recognized the severity of the situation and issued administrative guidance. The Ministry of Science and ICT ordered SK telecom to temporarily suspend new customer registrations and expanded its inspection of security across critical ICT infrastructure, including all three major telecom companies. At the same time, it is reviewing the effectiveness of current cybersecurity laws and discussing measures for compensation and prevention of future incidents.
Legal action is also intensifying. Multiple law firms and thousands of citizens have filed a class-action lawsuit against SK telecom, claiming that the data leak resulted from the company’s negligence in managing user information. Legal experts believe this case could serve as a precedent in establishing compensation standards for personal data breaches in Korea.
Structural vulnerabilities in SMS-based authentication
This incident highlights the extent to which South Korean society has become dependent on digital infrastructure. Most citizens access a wide range of services—financial, administrative, authentication, and healthcare—via mobile communication networks, which rely heavily on the security of components like USIM. Yet while companies and institutions have focused on expanding technological infrastructure, investments in security and risk management systems have lagged behind.
In particular, the breach exposed the structural weaknesses of SMS-based authentication systems, widely used for two-factor authentication and identity verification. If a hacker uses stolen USIM information to activate a cloned device and intercept banking verification texts, users could potentially lose control over their accounts and assets entirely. Despite the risks, there is still no widely adopted alternative to telecommunications- based authentication systems in Korea.
This incident should serve as a turning point for businesses, government, and civil society. Companies must strengthen internal security controls and establish clear standards for information disclosure during crises. The government should enhance legal and institutional frameworks for prevention and compensation, while citizens must improve their digital literacy and capacity to protect personal information. Technological advancements make life more convenient, but they also bring ever-present risks of intrusion and exploitation. The SK telecom USIM hacking case is not just a corporate failure—it is a societal issue. Protecting personal data is not only about individual privacy but also about safeguarding the foundation of trust in the digital society. Security can no longer be treated as optional and must be treated as a fundamental requirement. This crisis should be remembered as a stark warning of what is at stake.