South Korea’s top mobile carrier, SK Telecom, announced April 25 that it will offer free SIM card replacements to all 23 million customers following a recent hacking incident, responding to growing concerns about data security.
The company detected the breach a week ago.
“We sincerely apologize for the inconvenience and concern this has caused our customers and the public,” CEO Ryu Young-sang said at a press briefing in Seoul. “We will replace SIM cards free of charge for all customers who request it.”
Although SK Telecom has not yet determined the full scope of the breach or identified affected users, the lack of clarity has fueled anxiety among subscribers. Many customers have already sought their own measures to protect themselves.
Initially, SK Telecom introduced a “SIM protection service,” which blocks network access if a SIM card is inserted into a device that doesn’t match the registered information. However, the service faced criticism for its complex registration process and lack of compatibility with international roaming, prompting complaints of slow action.
As of April 25, approximately 2.4 million users, or roughly 10% of the customer base, had signed up for the service.
The free SIM card replacement program will begin at 10 a.m. on April 28, applying to all subscribers as of April 18, when the breach was first detected. Customers can replace their SIM cards at any T World store or airport roaming center nationwide, with some exceptions for older devices like watches and kids' phones.
The company will also reimburse customers who paid to replace their SIM cards between April 19 and 27.
In addition, the program will extend to budget mobile operators using SK Telecom’s network. These operators will announce further details on the rollout.
Meanwhile, SK Telecom is facing criticism for allegedly failing to report the breach within the legally required timeframe.
Rep. Choi Soo-jin, a member of the parliamentary Science, ICT, Broadcasting, and Communications Committee, noted that SK Telecom first detected unusual data movement on its internal systems at 6:09 p.m. on April 18. However, the company did not report the breach to the Korea Internet & Security Agency (KISA) until 4:46 p.m. on April 20, nearly 22 hours after the 24-hour reporting deadline.
