Please enable javascript in your browser to view this site

Responding to the SKT data breach

The breach, and the resulting exodus of customers from SKT, is already destabilising a fiercely competitive mobile market

The MSIT has issued directions to SKT on responding to a breach of nearly 10GB of data

On 1 May 2025, the South Korean Ministry of Science and ICT (MSIT) issued administrative guidance to SKT regarding its response to a data breach. The breach, first detected on 18 April 2025 and reported to regulators on 20 April, resulted in the leak of about 9.7GB of data, though it is still unclear how many of SKT’s approximately 25m subscribers were directly affected. The MSIT’s guidance focuses both on commitments made by the operator to replace all subscribers’ USIMs and to enroll customers into its USIM Protection Service, which SKT stated offers the same protection from fraud as replacing a physical SIM card and which was confirmed by the MSIT as an effective tool to prevent SIM swapping from compromised cards. The regulator’s initial investigation, which was launched in cooperation with the Korea Internet and Security Agency (KISA) on 22 April, also confirmed that no device serial numbers – known as International Mobile Equipment Identity (IMEI) numbers –  were leaked during the breach. The MSIT and KISA are expected to conduct a further joint public-private investigation into the incident, which is likely to operate for one to two months and can result in corrective orders issued to the operator and the development of future protective measures for the industry.

The operator has suspended new customer subscriptions until SIM supplies stabilise

The MSIT’s guidance for SKT included specific directions on communicating with its customers and directing resources to ensure existing customers have access to resources and other support. The regulator instructed SKT to suspend new customer sign-ups in light of a shortage of USIMs, recommending that the operator prioritise providing new cards to existing customers seeking a replacement until the supply stabilises. SKT has stated that it will be able to source approximately 5m replacement SIM cards per month and has also launched a “SIM reset” solution to allow customers to change ​​user identification and authentication information without changing physical cards as well as expanded access to self-activated eSIMs. A number of public institutions, such as the National Police Agency, as well as large domestic companies, including Samsung, Hyundai, Naver and Kakao, have also worked to coordinate the replacement and protection of USIMs in business devices, including in direct partnership with SKT. The regulator expects SKT to develop a plan to communicate its liability for any financial damages experienced by customers as a result of the data breach, with a focus on supporting and protecting vulnerable consumers who may be impacted. That liability includes accepting 100% responsibility for any harm that happens after a customer has requested enrolment in the USIM Protection Service, even before the service has been activated by the operator on their behalf. The MSIT also directed the operator to host daily briefings to communicate transparently with the public and offer reassurance on the response underway. 

SKT warns it could suffer losses of close to £4bn from customers cancelling their services

During a hearing held by the National Assembly, Ryu Young-sang (CEO, SKT) shared that more than 250,000 customers have left SKT already, a number that could quickly rise to 2.5m customers or 10% of the firm’s subscriber base. The operator has been under pressure to waive early termination fees for customers seeking to switch providers, which average KRW100,000 (£54). Ryu stated the decision to waive fees is currently under review by SKT’s board of directors and a newly established Customer Trust Restoration Committee, and will be made with consideration of the Government’s guidance as well as the potential financial impact for the firm. In his testimony, Ryu stated that if customer cancellations were to reach as many as 5m, the operator would face losses of up to KRW7tn (£3.8bn) for the next three years, including waived termination fees and lost revenue. While the likely total volume of customer migrations due to the data breach is still unknown, the incident is nonetheless already destabilising a closely monitored and controlled mobile market in which operators were recently penalised for colluding to limit customer switching.