SK Telecom stores overwhelmed as customers rush to replace USIM cards over security fears
SK Telecom plans to secure 5m more USIM cards by late May, but that would still fall far short of covering its 25m users
What was meant to reassure customers after a major security scare quickly turned into long lines, delays and frustration, as SK Telecom's free USIM card replacement program struggled to meet overwhelming demand on its first day.
Earlier this month, South Korea's largest mobile carrier disclosed that it had discovered malware inside a key internal system, the Home Subscriber Server — the database that manages mobile user identities and network authentication.
The discovery raised concerns that sensitive information stored on customers' physical USIM cards — including identifiers needed to verify a user's phone on the network — may have been exposed.
To address security concerns, the company promised free physical USIM card replacements to all affected customers — over 25 million people in total.
It also urged customers to enroll in its "USIM Protection Service," a security feature that blocks network access if a cloned USIM card is inserted into an unauthorized device by verifying the phone's IMEI number — a unique identifier assigned to each mobile device, like a digital fingerprint.
SK Telecom emphasized that enrolling in the service offers a level of safety comparable to replacing the card.
Long lines, empty hands
At SK Telecom's store near Sookmyung Women's University station in Yongsan-gu, Seoul, customers lined up early Monday morning, only to find that the stock of USIM cards had already been depleted.
The store had posted an online notice days earlier on Naver Map, warning that over 500 reservations had already been made.
Inside, two overwhelmed employees explained that early reservation holders could swap their USIM cards immediately, while walk-ins have to book new appointments — later this week if done in person, or next week if scheduled online through SK Telecom's website (care.tworld.co.kr).
"Even with endless stock, two of us can only replace about 100 cards a day," one staffer said.
For most waiting in line, security fears, not inconvenience, drove the urgency.
A woman in her 50s said she had booked her appointment "as soon as news of the breach broke."
Nearby, a man in his 60s, who had received SK Telecom's security alert via text, called the breach "very serious" and said he felt far safer physically replacing his USIM card than relying solely on the network-based protection service.
Others shared similar views.
A university student in his 20s said he "did not expect immediate financial theft" but felt "uncomfortable leaving compromised data unaddressed." A man in his 30s, who had learned about the breach only through news reports, said he "found the situation unsettling enough to warrant a prompt replacement."
The reservation website struggled under demand as well. By mid-morning, more than 97,000 customers were queued for reservations.
At major airports like Incheon, SK Telecom expanded roaming center staffing by 50 percent and pledged that even if customers missed replacement opportunities before departing, the company would be liable for any subsequent overseas fraud involving cloned USIM cards.
Currently, SK Telecom holds around one million USIM cards, with plans to secure five million more by late May. Given the scale, shortages are expected to persist for weeks.
Experts assurance amid anxiety
Amid these mounting anxieties from customers, cybersecurity professor Kim Seung-joo of Korea University told The Korea Herald that replacing the UICC smart card containing the USIM application resets the crucial IMSI and K values, neutralizing the impact of the leaked data.
"When you replace your USIM card, the identifiers are regenerated. You can rest assured after replacement," Kim said.
He confirmed that SK Telecom's USIM Protection Service also provides strong interim protection by blocking cloned cards from accessing the network. "Enroll in the service first if necessary, and replace the USIM card later when the rush subsides," he advised.
Kim also confirmed that leaked USIM card data alone cannot directly lead to bank account theft.
mjh@heraldcorp.com
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Korea Herald
26-05-2025
- Korea Herald
Investigation into SK Telecom data breach expands to KT, LG Uplus: sources
A joint government-private investigation team looking into SK Telecom Co.'s recent large-scale data breach has extended its probe to the servers of two other major mobile carriers, KT Corp. and LG Uplus Corp., but found no signs they have been compromised, industry sources said Monday. Initially, the team had asked local telecommunications and platform companies to conduct their own cybersecurity inspections. However, the approach was revised last week amid growing concerns that hackers using BPFDoor malware variants may have also targeted other South Korean mobile carriers, according to the sources. Following the expanded investigation, no traces of hacking activity have yet been found on the servers of KT or LG Uplus, they added. In a media briefing last week, the investigation team revealed interim findings indicating that 25 malware variants had been discovered on 23 servers belonging to SK Telecom. These included 24 variants of the BPFDoor malware and one variant of WebCell. Two of the affected servers had been used as temporary storage for personal data, such as names, birthdates, phone numbers and email addresses, as well as international mobile equipment identity data. The IMEI is a unique identifier for each device on a network and could potentially be exploited in financial transactions. SK Telecom discovered the breach April 18. (Yonhap)
Korea Herald
21-05-2025
- Korea Herald
[Editorial] Hole in cybersecurity
SK Telecom breach dates back 3 years; Malware indicates China-based hacking The nation was jolted by interim probe findings that personal information and universal subscriber identity module or USIM data of practically all subscribers of SK Telecom may have been leaked by hackers. The cyberattack dated back about three years and turned out to be much more extensive than revealed in the initial briefing, according to the second briefing Monday by a joint investigation team of the Ministry of Science and ICT and the Korea Internet & Security Agency. SK Telecom discovered the breach about a month ago, on April 18. Leaked USIM data amounted to 9.82 gigabytes. which equates to roughly 26.9 million units of international mobile subscriber identity or IMSI numbers. This means that the USIM data of practically all SK Telecom subscribers has been leaked. Currently, it has 25 million subscribers, including 2 million budget phone users. A total of 23 SK Telecom servers were found to be compromised by malware, up from the five disclosed in the previous briefing held on April 29. The number of malware variants found to have infected the servers increased from four to 25. Among the affected servers, two had been used as temporary storage for personal data, such as names, birthdates, phone numbers and email addresses, as well as data on international mobile equipment identity or IMEI, a serial number assigned to every mobile phone. The possibility of financial fraud and other forms of secondary damage from copy phones has gone up. Investigators found that hackers planted malware on June 15, 2022. It is shocking that not only the telecom carrier but also the government and private cybersecurity firms had remained in the dark about the malware's infiltration for about three years. There is another problem. How much damage the cyberattack will cause down the road is anyone's guess. SK Telecom reportedly keeps log data for the last four or five months. So, no log data is available for the period from June 15, 2022, when malware was first planted, to Dec. 2, 2024. Fortunately, no evidence was found showing any data leakage between Dec. 3, last year and April 24 of this year, but investigators could not confirm whether any leaks occurred during the period for which log data is not available. It is worth noting that 24 of the 25 malware variants detected this time were found to be BPFDoor, a backdoor reportedly used by China-based hackers to attack Middle Eastern and Asian telecom companies in recent years. Experts warn that this malware could be used for a cyberattack on the communication infrastructure of a country. Given that data on all SK Telecom subscribers may have been leaked for as long as three years, the breach is not likely to emerge as a simple hacking case. It is uncertain whether the incident was an organized cyberattack to cripple the communication system of a country rather than an attempt to steal money. Considering the cyber intrusion was not detected for so long, anybody can guess a similar thing may be happening at other communication networks or major institutions. Communication infrastructure is one of the cruxes of state administration. Cyberattacks could paralyze it secretly, plunging a nation into chaos. The SK Telecom breach reconfirms how vulnerable South Korea has become to such vital attacks. SK Telecom bears the primary responsibility for protecting its system from hacks, but the government needs to check the nation's cybersecurity this time. Also, the National Assembly should do its part to help telecom carriers fend off cyber infiltrations from abroad. One of the laws that it needs to revise is its espionage law, which only punishes spying activities done for North Korea. Recently, two Chinese nationals were caught photographing fighter jets near air bases in South Korea but released after telling police that photographing was their hobby. Police say there was no evidence that they did so for North Korea. China or the US would likely respond quite differently. For a nation to keep its sovereignty, security must be tight, cyber or not.
Korea Herald
21-05-2025
- Korea Herald
Who hacked S. Korea's largest telecom, and why? Growing concerns the SKT data breach wasn't just about money
Some suspect a sophisticated Chinese hacking group may be behind the attack, raising potential alarms over cyber security Nearly three years before South Korea's largest telecom provider knew anything was wrong, hackers had already broken into SK Telecom's internal systems. This detail emerged from a briefing this Monday by the government's public-private joint investigation team, which is probing one of the country's most serious cybersecurity breaches in recent memory. The attackers first embedded malware on June 15, 2022, according to the investigation. That software remained hidden until last month, when over 9 gigabytes of sensitive SIM-related data tied to approximately 25 million subscribers, including customers of SKT's budget MVNO carriers, was suddenly exfiltrated. Among the leaked data were 21 types of subscriber-related information, including identification numbers and SIM authentication credentials. What hasn't been confirmed, however, is whether call records or other highly sensitive personal communications data were taken. SK Telecom has said its call detail records (CDRs) are encrypted, but encryption alone may not be enough, warns Professor Kim Seung-joo of Korea University's Graduate School of Information Security. 'Even encrypted data is vulnerable if the keys aren't securely managed,' he said in a separate media interview on Tuesday. 'The same thing happened to nine US telecoms last year.' CDRs are highly valuable in state-backed cyber operations. Unlike credit card data, they reveal patterns of communication and movement, making them ideal for tracking public officials and institutions, he explained. The malware discovered on SK Telecom's servers included BPFdoor, a backdoor tool also used by Salt Typhoon, the Chinese-linked group behind the attacks on AT&T, Verizon and T-Mobile. South Korean investigators have not confirmed the attribution, but suspicion is growing. Professor Lim Jong-in, a cyber defense expert at Korea University, told local radio on Wednesday morning that he suspects the Chinese hacking group Red Mansion may be behind the intrusion. They are known for APT-style cyberattacks -- operations that are typically slow-moving, well-funded and thus conducted by nation-state actors rather than ordinary cybercriminals. APT stands for Advanced Persistent Threat. 'Their yearslong persistence and stealth tell you this wasn't just about stealing data for profit,' said Professor Yum Heung-yeol, another cybersecurity scholar at Soonchunhyang University, according to a local media report on Wednesday. 'To compromise a core telecom operator without any spies or insider cooperation is not something amateur hackers can do.' So far, no customers have reported cloned phones, suspicious charges or extortion attempts. That silence and the long-term nature of the breach, the experts have all said, makes financial motives unlikely. 'We are looking into multiple possibilities, including whether the attack was to steal data or to establish long-term access to deeper systems,' said Ryu Jae-myeong, director-general of network policy at the ICT Ministry involved in the joint investigation team.
