 |
Photo = SK Telecom |
[Alpha Biz= Kim Jisun] SEOUL, May 21, 2025 — In the wake of a large-scale hacking incident targeting SK Telecom, it has been confirmed that sensitive user data may have been transferred to Singapore, raising serious national and international cybersecurity concerns.
Koh Hak-soo, Chairperson of the Personal Information Protection Commission (PIPC), revealed during a Privacy Policy Forum held at the Bankers Club in central Seoul that “data from the Home Subscriber Server (HSS) appears to have been transmitted to Singapore via the Wireless Charging Data Repository (WCDR).”
While speculation has circulated around potential involvement by Chinese or North Korean actors, Chairperson Koh emphasized the difficulty in determining the perpetrators in such cyberattacks. “It's hard to ascertain who controlled the Singapore-based IP addresses,” he said, noting that international cooperation would be essential for further investigation.
On May 19, a government-industry joint investigation team reported that the breach involved “BPFdoor”, a backdoor tool frequently used by Chinese-affiliated hacker groups, leading to leakage of USIM data.
Chairperson Koh described the breach as “one of the most severe personal information incidents in history,” adding, “This is a profoundly serious matter that threatens public trust in the era of digital transformation and AI development. We will impose strict penalties for any violations of the law.”
He also pushed back against SK Telecom’s claim that “no secondary damage has occurred,” stating, “Assuming that damage must be evident to be considered real is a flawed view. Harm comes in various forms—even without cloned phones or financial fraud, the leakage itself is already damage.”
Koh criticized SK Telecom’s response, expressing strong regret over the company’s delay in notifying users. Although the breach was disclosed publicly on April 22, SK Telecom only began sending SMS notifications to affected individuals on May 9.
“The delay in notification is deeply regrettable,” Koh said. “Moreover, the content of the message—which suggested they would later inform customers about the ‘possibility of leakage’—failed to meet legal requirements.”
The PIPC has formed a dedicated task force to independently investigate the case, separate from the joint investigation led by the Ministry of Science and ICT. On May 2, the commission held an emergency meeting, mandating that SK Telecom must notify all affected users individually.
Alphabiz Reporter Kim Jisun(stockmk2020@alphabiz.co.kr)
