20.5k unique visitors in the last 3 days

SK Telecom Shares Fall 7%; Thousands Struggle to Get Replacement SIMs after Data Breach

Customers report frustration with long waits at stores and online after the Korean telco promised free replacement SIMs to 25mn phone users despite having only 1mn SIMs in stock.

The crisis precipitated by the hacking of SK Telecom’s Home Subscriber Server (HSS) deepened yesterday as the value of the company tumbled on the first day of trading following the announcement that free replacement SIMs would be offered to all users of the telco’s network. Long lines of customers were seen at stores around South Korea on Monday morning, with many telling mainstream and social media that they had been turned away empty-handed because stocks of SIMs had run out. Online systems to schedule appointments for SIM replacements were also overrun. This came amidst news reports that SK Telecom only had a stock of 1 million SIM cards it could distribute immediately, and is only expecting to obtain a further 5 million by the end of May, despite promising free replacement SIMs for 25 million phone users, including almost 2 million customers of MVNOs that use SK Telecom’s network.

Yonhap News Agency shared stories and photographs depicting long lines of customers waiting for replacement SIMs. YTN television news screened interviews with SK Telecom customers who said they had been unable to get a replacement SIM despite waiting patiently. Multiple media reports suggest the delays are fueling anxiety about a potential surge in SIM swap fraud, with South Koreans considered to be especially vulnerable because of extensive reliance upon online services.

SK Telecom had encouraged customers to schedule appointments for replacement SIMs in order to avoid chaos at stores. However, there were many reports of customers trying to access the online scheduling system only to be shown their place in a queue with tens of thousands of customers ahead of them. The highest number shared on social media came from X user DDD, who tweeted an image that stated 95,640 people were waiting to get their appointment.

The telco’s share price hit a low of KRW53,100 during trading on Monday, having closed at KRW57,800 on Friday. There was then a slight recovery but the company was still down 7% by the end of Monday. This dramatic drop contrasts with the share price having remained stable in the days immediately following the disclosure that a privacy breach had occurred as a result of the company’s HSS being infected with malware. There has been no news about the identity of the hackers, their motivation or the methods they used, with representatives of SK Telecom suggesting there will be no updates until the end of an investigation that could take 2 months to complete.

Koh Hak-soo, Chairman of South Korea’s data protection agency, the Personal Information Protection Commission, was criticized by members of the National Assembly when he told them the investigation might take more than a year because it involved complex systems. Nor did he help SK Telecom’s plight by affirming that subscribers could effectively protect themselves from the consequences of the data breach by switching their service to another comms provider.

The policy of saying as little as possible may have to be reversed if confidence in SK Telecom and the authorities continues to worsen as journalists attempt to associate the breach with news about new SIM swap fraud victims. Daily newspaper Hankyoreh reported that one man lost his SK Telecom service a few days after the breach, and subsequently discovered his identity had been used to switch his service to a different phone company and that KRW50mn (USD35,000) had been taken from his bank account.

Hankyoreh also reports that dealers on behalf of rival telcos like KT are openly inviting SK Telecom customers to switch providers in order to allay their fears about being scammed.

한 케이티 매장에선 유리벽에 “에스케이티 고객님, 개인정보 유출 사건 걱정되시죠? 기기와 번호 그대로, 통신사만 이동하셔서 저렴하게 이용하세요!”라고 써 붙였다. 다른 매장은 “에스케이티 유심 대란!! 해킹에서 안전한 케이티로 오세요~”라고 크게 붙여놨다.

One KT store posted a sign on the glass wall that read, “SKT customers, are you worried about your personal information being leaked? Keep your device and number, and just switch carriers to save money!” Another store posted a large sign that said, “SKT SIM card chaos!! Come to KT, safe from hacking”.

At the time of writing, 36,030 users had signed up to an online community pursuing a potential class action lawsuit against SK Telecom. The number of members of this group appeared to be rising rapidly. The organizers of the group said there was a need to change the ‘security standards of society as a whole’.

Risk managers receive a lot of bad advice about data breaches. For example, there is evidence that share prices can rise if the response to a breach encourages confidence in the management team. On the other hand, it is clear that some telcos are run by executives who think managing the risk of a breach primarily involves managing what is said publicly following a breach, instead of reducing the chances of breaches occurring. Perhaps the worst example of this approach was Kelly Bayer Rosmarin, the former CEO of Australian operator Optus. Empty words helped her to hold on to her job following a data breach affecting 10 million Australians, a similar proportion of the Australian population to the share of South Korea that will be affected by SK Telecom’s breach. However, her real accomplishment was to usher in a new era of cooperation to protect consumers from scams, first by changing rules so banks and telcos can share information more readily in the aftermath of a breach. This laid the groundwork for the adoption of a comprehensive national cross-sector strategy for protecting consumers from scams.

Commsrisk’s more cynical readers will share my view that data privacy and consumer protection only receive the attention they deserve after serious failings have demonstrated the inadequacy of current risk management. Data breaches are an enabler for crime, and nincompoop executives who allow breaches to occur deserve punishment instead of the fat corporate pay-offs they usually receive. Those countries which have made tentative steps towards making executives theoretically liable for security failures have shown little inclination to hold them accountable in practice. Executive decision-makers continue to enjoy luxurious lifestyles despite making bad decisions because the rest of society is forced to carry the cost. But at least these incidents force customers to take their own security more seriously, and to demand more from the elites that run society. Optus’ lax attitude and incompetent leadership helped to propel Australia towards one of the best consumer protection strategies adopted by any nation. Perhaps the reaction of South Koreans to the breach at SK Telecom is showing that ordinary people are less willing to accept apologies and promises to do better in future.

It may be dawning on consumers that there is no quick fix when so much sensitive data is compromised. When it comes to data breaches, more ordinary people are beginning to appreciate why prevention is better than cure. The tide might be turning, not just in South Korea, but more generally amongst populations who have been encouraged or forced to depend on their phones more than ever before. Some good may come from this yet.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email