One month after the SK Telecom USIM hacking incident, the government has, for the first time, raised the possibility of duplicate phone creation. Previously, both the government and SKT maintained that even if USIM information was leaked, it would not be possible to create a duplicate phone because the device’s unique identifier (IMEI) had not been compromised. However, the government has now officially mentioned the possibility of IMEI being leaked externally. As a result, SKT, which had emphasized that there would be no subscriber damage with only the SIM protection service, is now expected to place greater emphasis on SIM card replacement.

Choi Woohyuk, Director of Information Security Network Policy at the Ministry of Science and ICT, is holding the second briefing on the joint public-private investigation results related to the SKT breach incident at the Government Seoul Office in Jongno-gu, Seoul on the 19th. Photo by Yonhap News

원본보기 아이콘

The joint public-private investigation team announced on the 19th that, according to the results of the second investigation into the SKT breach, some servers used for customer authentication were infected with malware, and temporary storage of personal information such as IMEI, names, and phone numbers was found on these servers.

The investigation revealed that these servers had been infected with malware for an extended period, starting three years ago. According to the findings, for the period from December 3, 2024, to April 24, 2025, when log records remain, there was no evidence of external leakage. However, for the earlier period from June 15, 2022, to December 2, 2023, which spans about a year and a half, there are no log records at all, making it impossible to rule out the possibility of IMEI leakage. A senior official from the Ministry of Science and ICT stated, "We believe there was no leakage during the period for which communication logs exist, but we cannot determine what happened before that," adding, "This means that the risk of leakage has been newly identified."

원본보기 아이콘

The IMEI is a unique identifier assigned to a device and serves as the equivalent of a resident registration number for each mobile phone. It is a highly sensitive piece of information and is the key to creating duplicate phones. In order to create a duplicate phone, the IMEI, the subscriber identification number (IMSI), and a cloned SIM are required. The leak of IMSI and SIM information was already revealed at the end of last month during the announcement of the first investigation results. Now, with the second investigation raising the possibility of IMEI leakage, concerns are growing that financial fraud schemes such as 'SIM swapping'?where hackers use stolen information to clone a SIM and commit illegal acts on another device?could become a reality.

원본보기 아이콘

During the second investigation, a total of 18 additional servers were found to be infected with malware. Among these, the servers most problematic were those linked to SKT's integrated customer authentication system. This is because key information such as IMEI was temporarily stored for a certain period during the process of authenticating customer devices. Files containing a total of 291,831 IMEI records were found on these servers.

In the first announcement last month, the joint investigation team stated, "IMEI was not leaked." In this investigation, however, the possibility of IMEI leakage was raised. A Ministry of Science and ICT official explained, "In the first investigation, we urgently inspected 38 servers identified as storing IMEI, and since these were not infected, we could definitively say there was no leakage. However, during the comprehensive inspection of about 30,000 servers this time, we discovered additional servers that temporarily store IMEI during service operations."

The government notified SKT and ordered an immediate response.

The safest method in the current situation is SIM card replacement.

It is a method that completely invalidates the unique identifier of the existing SIM card and replaces it with a new one.

It can fundamentally block threats such as duplicate phone creation or illegal authentication bypass.

On the other hand, the SIM protection service detects and blocks abnormal activities such as hacking or cloning attempts in real time.

If the SIM is already exposed, there is concern that the actual defense capability may be reduced.

As of the 18th, SKT had 2.1 million SIM replacement subscribers, which is less than 10% of the total subscribers.

A Ministry of Science and ICT official stated, "We strongly demanded that SKT strengthen its response system, including the anomaly detection system (FDS), which determines the effectiveness of the SIM protection service, and the company is currently preparing countermeasures." The joint public-private investigation team plans to complete the investigation of all SKT servers by June and determine the final scale of the damage and the path of the data leak.