There is an increasing sense of desperation surrounding SK Telecom’s plan to replace the SIMs of 25 million phone users following the discovery of malware in the operator’s Home Subscriber Server (HSS). Another press briefing was held on Friday with CEO Ryu Young-sang (pictured) bowing and apologizing for his company’s failings before he announced that all of the telco’s 2,600 stores across South Korea would stop onboarding new subscribers or accepting transfers from other networks. This will allow all available SIMs to be dedicated to replacing the SIMs of existing customers, with none reserved for new customers.
It was unclear how long this suspension will need to remain in place. The telco previously reported it had a stock of around 1 million SIM cards when the hack occurred in April, and that they were expecting the delivery of another 5 million SIMs during May. This has since been updated with news of another 5 million SIMs expected during June, but that would still leave the telco less than half way towards the total required. The telco promised to hold meetings with manufacturers with the intention of increasing the number of SIMs available and shortening the time-cycle for supply lines. Those SIMs which are obtained by SK Telecom are being distributed to their stores straight away, ‘even on weekends and holidays’.
SK Telecom is evidently hoping that consumer losses to crime will be mitigated in the meantime by the company’s SIM card protection service. This service reportedly maintains a record of the user’s handset as well as their SIM, thus preventing a new SIM being issued in the customer’s name and then being used in a different phone. Previously this was a paid-for service but it was made free after the hack. Many customers complained about difficulties and delays with registering for the SIM protection service but well over half of the user base are now signed up. An update to the process means that all remaining users will be registered automatically without needing to request the service. Automatic registration will proceed at the rate of 1.2 million customers per day, with the expectation that all eligible customers will be registered by May 14. However, the current service is incompatible with roaming. Approximately 100 head office staff will be transferred to stores in airports to help with the issuing of replacement SIMs ahead of holiday season. A new version of the SIM protection service that does work for roaming users is expected to be available from May 14.
This news followed an appearance by Ryu Young-sang at a hearing held on April 30 by the National Assembly’s Committee on Science, ICT, Broadcasting and Communications. The CEO told the parliamentarians that the compromise of SK Telecom’s HSS was “the worst hacking incident in the history of the telecommunications industry” before admitting the company’s initial response “was lacking in many ways”. He also said that he and SK Group Chairman Chey Tae-won are relying on the SIM card protection service after choosing not to replace their own SIMs.
An HSS stores highly sensitive data about subscribers, SIMs and security. 9.7GB of data has reportedly been exfiltrated from SK Telecom’s HSS. An online community for people wanting a class action lawsuit has attracted almost 67 thousand members at the time of writing, and continues to grow every minute. The potential liabilities for SK Telecom are enormous. However, a society like South Korea where the government can expect a high degree of cooperation from other big businesses will be better able to limit the impact of a data breach. Prevention is better than cure, but the impact of a breach also depends on how much other entities like banks implement heightened monitoring of potentially criminal activity. Whether this really is the worst ever telco hacking incident will ultimately depend on how the rest of South Korean society responds, as well as SK Telecom’s efforts. The cost of this breach will give the telco plenty of motivation to learn from its mistakes.
