Hundreds demand compensation following SK Telecom data breach that affected millions

In the aftermath of a major cybersecurity breach at SK Telecom, hundreds of affected users have filed formal complaints demanding restitution and swift preventive action, as public scrutiny intensifies over the telecommunications giant’s handling of sensitive customer data.

According to figures released by the Personal Information Protection Commission (PIPC) to Rep. Yang Bu-nam of the Democratic Party of Korea, a total of 338 individuals have lodged official requests with the commission as of Wednesday. These filings pertain to the hacking incident involving South Korea’s largest mobile network provider, which recently revealed that personal data from nearly 27 million users had been compromised.

Of the complaints, 238 individuals submitted 276 cases independently, while a group of 100 users jointly filed one collective application. In total, the commission has received 277 cases related to the breach—already representing more than one-third of the 806 personal information disputes processed throughout all of last year. The volume of cases is notable given that the breach came to public attention less than a month ago.

The personal information dispute mediation system in South Korea offers a fast-track, non-litigious process for resolving privacy-related grievances. Disputes involving groups are typically adjudicated by a quasi-judicial mediation committee within 60 days of a formal initiation.

An attorney representing the 100 users in the collective complaint indicated that additional legal action may follow, stating that between 300 and 400 more individuals are preparing to file similar claims. Civic organizations have echoed the need for urgency. The Seoul YMCA, a local advocacy group, called on the PIPC to take more proactive steps to manage the growing wave of complaints and assuage public anxiety.

“Hundreds have already filed, and if secondary damage occurs, we may see a flood of new applications that the committee is not equipped to handle,” a spokesperson for the group warned.

The breach, which came to light in April 2025, involved the unauthorized extraction of user data from SK Telecom’s systems. Though detected last month, the infiltration reportedly began on June 15, 2022, when attackers first introduced a web shell into the company’s infrastructure. The malware remained active for nearly three years, going unnoticed until December 2024 when SK Telecom began logging activity on the affected servers.

A joint investigation team composed of public and private sector experts later reported that malware had infected 23 of the company’s 30,000 Linux servers. These included 25 distinct types of malicious software that ultimately exposed customer data such as International Mobile Subscriber Identity (IMSI) numbers, USIM authentication keys, network usage records, and SMS and contact information stored on SIM cards. The breach heightened the risk of SIM-swapping attacks—a form of identity theft that exploits mobile number transfers.

SK Telecom confirmed that 26.95 million customers are expected to receive direct notifications about the breach. The company has begun issuing replacement SIM cards to all subscribers and has implemented automatic security enhancements to prevent further unauthorized activity. Although the joint investigation found that 15 compromised servers contained sensitive data—including 291,831 International Mobile Equipment Identity (IMEI) numbers—SK Telecom has publicly refuted this specific claim.

The company has acknowledged the severity of the incident, stating that the extent of the breach is broader than initially estimated. As a result, SK Telecom temporarily suspended new subscriber registrations on April 19 as part of its crisis response.