SKT ordered to waive termination fees over data breach

SK Telecom (SKT) will waive termination fees for customers who canceled or will cancel their contracts between April 19 and July 14 over the recent SIM hacking incident in response to the government's order on Friday.

The Ministry of Science and ICT Second Vice Minister Ryu Je-myung speaks during a briefing on the final results of a joint investigation into the SK Telecom SIM hacking incident in April at the government complex in Jongno District, central Seoul, on July 4. [YONHAP]

SK Telecom (SKT) will waive termination fees for customers who canceled or will cancel their contracts between April 19 and July 14 over the recent SIM hacking incident in response to the government's order on Friday.

After nearly two months of investigation, it was confirmed that SKT suffered a cyberattack that began in August 2021, and that SIM information tied to some 27 million subscriber identification numbers (IMSIs) was leaked in April.

The government concluded that the fault lies with SKT and determined that customers should be exempt from early termination penalties. What happened?

The Ministry of Science and ICT announced the final results of a joint investigation into the SKT SIM hacking incident on Friday.

The investigation, which involved six rounds of inspection across all 42,605 SKT servers, found 33 types of malware — including 27 variants of BPFDoor, malware installed to access a server from outside, bypassing normal authentication and network-monitoring systems — on 28 infected servers. This marks an increase from the second investigation released in May, which had identified 23 malware types on 23 servers.

A total of 9.82 gigabytes of SIM data — spanning 25 data types, including phone numbers and IMSIs — was leaked. Based on IMSI figures, this translates to roughly 26.96 million cases, effectively encompassing all SKT subscribers.

The government assessed that the likelihood of further damage is low.

An SK Telecom store in Jongno District, central Seoul, is seen on July 3. [NEWS1]

“Just like in the first and second investigations, we found no evidence of additional damage from SIM cloning,” said the Science Ministry Second Vice Minister Ryu Je-myung during a briefing Friday. “As with the second report, the 290,000 IMEIs stored in the customer management network showed no signs of data leaks during the period covered by log records.”

However, it remains impossible to confirm whether leaks occurred during a two-and-a-half-year span for which no log data exists.

“While we cannot guarantee full technical assurance, SKT appears to have expedited upgrades to its SIM protection and Fraud Detection System due to such uncertainties,” said Ryu.

People walk by an SK Telecom store in downtown Seoul on June 24. [YONHAP]

SKT’s negligence

In its final report, the government concluded that SKT should waive early termination fees for customers who cancel their service due to the hacking.

“Given SKT’s negligence and failure to fulfill its contractual obligation to provide secure communication services, this constitutes a breach for which SKT is responsible under its terms of service,” said Ryu.

The investigation found that SKT failed to encrypt sensitive information and had previously responded inadequately to a security breach without reporting it, highlighting weaknesses in its security system. Silent breach

The investigation pointed to SKT’s poor internal credential management as the root cause. Hackers first infiltrated the telecom's internal servers on Aug. 6, 2021, according to the findings.

They gained access via a server on a management network connected to the internet, which contained unencrypted credentials allowing entry to a core voice authentication server (HSS). This allowed the attackers to infiltrate the HSS server.

Authentication keys, which could potentially be used for SIM cloning, were also stored without encryption. The Global System for Mobile Communications recommends encrypting such information, and other telecom providers such as KT and LG U+ currently follow this guideline.

SK Telecom CEO Ryu Young-sang speaks during a briefing on the final results of a joint investigation into the SK Telecom SIM hacking incident in April on July 4. [NEWS1]

Additionally, SKT failed to report or respond adequately to a previous breach. On Feb. 23, 2022, a server rebooted abnormally, but SKT handled it internally without notifying authorities.

Under the Information and Communications Network Act, companies must report security incidents immediately — within 24 hours starting in 2024. Furthermore, SKT reviewed only one out of six logs from the infected server, missing a critical opportunity to detect the breach.

“Had SKT checked the other five logs, it could have detected that the HSS server had already been compromised with BPFDoor malware,” said Ryu. What are the next steps?

The Science Ministry will require the company to submit a plan to prevent recurrence by the end of July and will review its implementation in November or December.

Shortly after the government briefing, SKT CEO Ryu Young-sang announced, “Following an emergency board meeting, SKT will fully waive early termination fees for customers who canceled their service between April 19 and July 14.”

Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff. BY EO HWAN-HEE [lim.jeongwon@joongang.co.kr]