Will the SKT Hacking Incident Lead to a Special SIM Security Act?

The technical core of the recent SKT authentication server hacking incident is that the central server system managing SIM card information—the key medium through which telecom operators deliver passwords (authentication keys) to subscribers and the backbone of 4G/5G network security—was compromised by an external attack. This goes beyond a simple data leak and theoretically opens up the possibility that an attacker could use a fake base station to hijack communication sessions targeting specific users. As a result, it could lead directly to serious security threats such as intercepting ARS authentication calls or SMS messages used for financial transactions, wiretapping calls, and increasing the accuracy of smishing/phishing attacks.

Setting a SIM card PIN (password), which has been mentioned as a way to prevent this, is effective in blocking unauthorized use in the event the card itself is physically stolen or lost, but it does nothing to address the possibility that authentication information was leaked on the server side. Therefore, the only way to invalidate the leaked authentication information and receive a new security key is to replace the SIM card (either a physical replacement or reissuing an eSIM).

The video from the ColorScale YouTube channel below offers the most accurate explanation of what security threats SKT’s central server hack poses to users, so readers interested in the technical details are encouraged to watch it.

To begin with, SKT’s initial response was highly inadequate, and it issued apology/notice letters that effectively misled the vast majority of customers, who lack technical knowledge, which is a very serious problem. Recognizing the gravity of the situation, the government and the National Assembly summoned CEO Ryu Young-sang to a hearing, where they acknowledged the response was insufficient and urged the company to make an all-out effort to prevent damage. At the hearing, Ryu Young-sang stated that he “agrees this is the worst hacking incident in the history of Korean telecommunications.” Afterwards, SKT temporarily suspended new subscriptions, and Minister of Science and ICT Yoo Sang-im visited KISA’s Internet Incident Response Center, calling for a “comprehensive review of the information security framework in light of the SKT incident.”

The basis for concluding that all SIM information, which plays a critical role in subscriber security, has effectively been leaked is that the data was stored in plain text. In theory, even if a server is hacked, if the data stored on it is encrypted to a high standard, there is a good chance the information itself is not actually exposed. The fact that everything was stored in plain text (as readable text) is evidence of SKT’s lax information security systems and culture.

According to the article above, Vice President Ryu Jeong-hwan responded to the effect that they had not encrypted sensitive data because there had been no legally mandated obligation to do so. As soon as I read this, what came to mind was, “At this rate, someone is going to propose a special SIM security act.”

What I find most problematic in our legal system is that citizens, lawmakers, and even enforcers all tend to interpret the law literally. Laws are designed to guide individuals and the organizations they belong to toward behaving in certain ways so that society can function properly. As time passes and society evolves, laws are meant to change along with it; they are not tools for determining absolute right and wrong. The problem is that most people treat the law as if it were a manual for judging what is right and wrong.

Once the law turns into a clear-cut manual that is applied strictly as written, we lose the basis for imposing any demerits on those who cause social harm through actions that are not explicitly defined in the statute books. The law then becomes a tool for “locking the barn after the horse is stolen,” only being revised after everyone has already suffered the damage.

The essence of the SKT server hacking incident is not that the company has cut back on security investment in recent years, nor that employees have a lax security mindset, nor even that there is no law explicitly requiring SIM information to be encrypted and made hard to access. It is that there is no institutional framework—and no legal system to underpin it—that forces companies to bear responsibility beyond the damage they inflict when they cause serious harm to their customers.

Every system and structure has its pros and cons, but in any society, trust is an essential form of capital. I believe that the more trust there is, the less friction arises in transactions, and the more that becomes a driving force for development. Because trust is a kind of belief, only a system that imposes strong demerits on individuals and organizations that undermine it can provide the incentive needed to prevent absurd hacking incidents like this one.