About 27 Million USIM Records Leaked
Malware Found on Server Containing IMEI, Names, and Phone Numbers Since Three Years Ago
No Evidence of Leakage from Late Last Year to April
Leakage Cannot Be Ruled Out Due to Missing Earlier Log Records
Ministry of Science and ICT: "Even If IMEI Was Leaked, Creating Cloned Phones Is Difficult"
Data on Potentially Leaked Server Was Not Encrypted
It has been revealed that approximately 27 million pieces of USIM information were leaked in the SK Telecom USIM hacking incident. In particular, new malware was discovered on servers containing users' personal information and device unique identifiers (IMEI), raising the possibility that this information may also have been leaked. As a result, the hacking incident is likely to enter a new phase.
The SKT USIM Hacking Incident Joint Public-Private Investigation Team announced the second investigation results related to the SKT breach at the Government Seoul Office on the morning of the 19th, revealing that some servers used for customer authentication had been infected with malware. These servers temporarily stored personal information such as IMEI, names, and phone numbers. It was confirmed that files stored on these servers included a total of approximately 290,000 IMEIs.
Choi Woohyuk, Director of Information Security Network Policy at the Ministry of Science and ICT, is giving the second briefing on the joint public-private investigation results related to the SKT breach incident at the Government Seoul Office in Jongno-gu, Seoul, on the 19th. Photo by Yonhap News
According to the investigation team, this server had been infected with malware for a prolonged period, dating back three years. The investigation found that, for the period from December 3, 2024, when log records are available, to April 24 of this year, immediately after the hacking, there were no signs of external leakage. However, for the earlier period from June 15, 2022, to December 2 of last year?about a year and a half?there are no log records at all, so the possibility of IMEI leakage cannot be ruled out.
A senior official from the Ministry of Science and ICT explained, "There is no evidence of leakage during the period for which communication logs exist, but we cannot know what happened before that," adding, "The risk of leakage has now been newly identified."
The IMEI is a unique identifier assigned to a device and serves as a sort of resident registration number for each mobile phone. It is highly sensitive information because it is the key to creating cloned phones. To create a cloned phone, in addition to the IMEI, the subscriber identity number (IMSI) and a cloned USIM are required. The leakage of IMSI and USIM information was already revealed in the first investigation results announced on April 29. With the possibility of IMEI leakage raised in this second investigation, concerns are growing that USIMs could be cloned and used for illegal activities by inserting them into other mobile phones.
However, the government explained that even in the worst-case scenario where IMEIs have been leaked, creating cloned phones is not easy. Ryu Jemyoung, Director of Network Policy at the Ministry of Science and ICT, stated, "Physically, it is impossible to clone a device with only the 15-digit IMEI value without the device-specific authentication key held by the manufacturer," and added, "SKT has also completed the advancement of its Fraud Detection System (FDS), which can block abnormal authentication attempts and prevent network access."
Previously, the investigation team had announced in the first investigation results that there was no evidence of IMEI leakage. The server found to be infected with malware was discovered after the first investigation. Director Ryu explained, "We identified the problematic server on the 11th, and immediately requested SKT to take action," adding, "SKT expedited the advancement of FDS 2.0 and applied it much earlier than planned."
It was also confirmed that the personal information stored on the server now identified as potentially leaked was not encrypted. Lee Donggeun, Director of the Digital Threat Response Division at the Korea Internet & Security Agency (KISA), stated, "All of the temporarily stored information discovered this time was in plaintext (unencrypted)." Choi Woohyuk, Director of Information Security Network Policy at the Ministry of Science and ICT, said, "The issue of personal information leakage will be officially announced after the Personal Information Protection Commission completes its investigation."
It appears that SKT's suspension of new subscriber registrations will continue for the time being. Director Ryu emphasized, "The consistent principle regarding new registrations is that the interests of existing subscribers who wish to replace their USIMs must take top priority," and added, "In a situation where there is a shortage of USIMs and existing subscribers need replacements, using that supply for new registrations should not be allowed."
The joint public-private investigation team plans to complete its investigation of all SKT servers by June and determine the final scale of the damage and the path of the leak.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
