Device identification numbers possibly compromised in SKT hack

Home > Business > Tech

Device identification numbers possibly compromised in SKT hack

Published: 19 May. 2025, 12:53 Updated: 19 May. 2025, 15:07

Audio report: written by reporters, read by AI

A notice is put up at an SK Telecom direct store in Jung District, central Seoul, on May 12. [NEWS1]

It appears that users' personal information may also have been leaked in last month's SK Telecom (SKT) hacking incident, as further investigations suggest that international mobile equipment identity (IMEI) numbers were also possibly compromised.

The Ministry of Science and ICT released the second report by the joint public-private investigation team on the SKT breach on Monday. The ministry said investigators have so far confirmed 23 infected servers and discovered 25 types of malware.

This is an increase of 18 infected servers and 21 additional types of malware from the first report.

In the initial findings announced on April 29, the team had examined five servers believed to have been attacked and confirmed the leak of 25 types of data, including phone numbers and international mobile subscriber identity (IMSI). Investigators found four variants of BPFDoor malware, known for its popularity in Chinese hacking circles.

The investigation also confirmed that the volume of leaked SIM data amounted to 9.82 gigabytes, equating to around 26,957,749 IMEI entries. The combined total of SKT subscribers and users of budget mobile carriers that operate on SKT’s network is around 25 million, nearly the same volume as the leaked data.

SK Telecom users wait in line to switch their SIM cards at a booth in Incheon International Airport on May 8. [NEWS1]

The team explained that it has conducted four rounds of inspections on about 30,000 Linux servers operated by SKT, aiming for a thorough check of the entire server system by next month, especially to identify additional infections linked to the initially detected BPFDoor malware.

Of the 23 infected servers, four rounds of forensic analysis inspections have been completed on 15, while analysis on the remaining eight is ongoing. A fifth round of inspections is also underway to detect and remove other potential malware.

Analysis on the last eight servers is scheduled for completion by the end of this month. Among the 15 servers already analyzed, investigators identified two that stored personal data.

A SK Telecom store worker demonstrates SIM card replacement at a branch in Seoul on May 12. [YONHAP]

These servers are linked to the integrated customer authentication system. They contained personal information such as IMEI, names, birth dates, phone numbers and email addresses that had been called up for the purpose of customer verification.

Initially, the team had examined 38 servers where IMEI data was stored and confirmed they had not been infected. However, during the forensic investigation of the infected servers, they discovered that some IMEI data had been temporarily stored in files on linked servers during certain periods.

The team confirmed that these files contained a total of 291,831 IMEI entries. No data leaks occurred between Dec. 3 of last year and Apr. 24, as confirmed by firewall logs, according to the results of a detailed investigation.

SK Telecom users line up at a booth in Gimpo International Airport in western Seoul on May 9 to get new SIM cards. [NEWS1]

However, data leaks cannot be ruled out for the period from when the malware is believed to have first been installed on June 15, 2022, to Dec. 2, 2024, during which log records do not exist.

Whether IMEI and other SIM or personal information were leaked during that period remains to be seen through a further forensic investigation, but the lack of log records may make confirmation difficult.

The investigators confirmed that a server containing personal data had been hacked on May 11, and requested that SK Telecom verify the possibility of data leakage and take measures to prevent harm to users.

BY KIM MIN-YOUNG [[email protected]]