April 18: SK Telecom detects abnormal logs and file deletion traces.
April 19: Data breach confirmed on home subscriber server at Seoul data center.
April 22: Suspicious activity involving USIM data reported.
April 28: SIM card replacement begins.
May 1: Chinese hacker involvement possibility raised.
May 6: 8 additional malware strains discovered beyond original 4.
Major international media covered SK Telecom's large-scale hacking incident: TechCrunch ("SK Telecom hacked, 23 million customers' data compromised"), Bloomberg ("SK Telecom officially announces USIM data leak possibility"), Channel News Asia ("SKT begins replacing 20 million customers' SIM cards"), Security Affairs ("millions of subscribers at risk of SIM cloning and fraud"), Yahoo News (SK Group Chairman Chey Tae-won's official apology). The abnormal log deletion detected in SKT servers on the night of April 18 was the prelude to a cyber disaster targeting the national telecommunications network.
How the breach occurred: The attack origin was vulnerability in VPN equipment "Ivanti Connect Secure." Korea's cybersecurity authority (KISA) reportedly provided advance warnings and replacement recommendations, but SKT could not immediately implement them. The attack path — unauthorized access → log deletion and concealment → server penetration → USIM-related information access — demonstrates SKT's security system was vulnerable to "detection-then-response" approaches. Attackers spent over a week in internal networks planting additional malware in a sophisticated sustained attack. 25 types of personal information leaked: name, address, resident registration number, location information, call records, data usage, SIM unique numbers. USIM information leakage particularly concerning for duplicate SIM unauthorized access, identity theft, and roaming fraud.
Why serious: Not simple corporate hacking but collapse of national infrastructure security (telecom infrastructure trust, 5G-based industry ecosystem threat, national cybersecurity distrust). SKT's sluggish response: 3 days to KISA reporting after breach recognition, 1 week for website notice, 3 weeks for CEO apology — trust erosion led approximately 250,000 to switch carriers. Repeated VPN-based hacking: CISA also issued Ivanti VPN vulnerability warnings in 2023; Chinese-linked hacker organizations have continued exploiting zero-day vulnerabilities. "Hackers breach technology, but trust collapses even faster." [Full CEO Briefing transcript included showing SKT's Yoo Young-sang's detailed apology and remediation measures]
