Victims of KT breach climbs to 362, data of 20,000 subscribers potentially exposed

Kim Young-geol, head of KT’s service product division, outlines countermeasures to prevent further hacking incidents during a press briefing at KT’s headquarters in central Seoul on Sept. 18. A total of 362 KT subscribers had their data leaked, enabling hackers to make unauthorized micro-payments in their names. [YONHAP]

 
A total of 362 KT subscribers suffered data leaks that enabled hackers to make unauthorized micro-payments in their names, resulting in 240 million won ($173,000) in damages. In addition, up to 20,000 KT users may have had their phone data exposed, according to the company’s latest findings.
 
This marks an increase from the 278 victims and 170 million won in losses KT reported during an earlier briefing. A joint public-private task force’s expanded investigation concluded that about 20,000 users were potentially exposed to hackers, who may have accessed their subscriber IDs, device IDs and phone numbers.
 
“We are treating all 20,000 KT users who connected to the four identified illegal base stations as potential victims, as it is impossible to verify them individually,” said Koo Jae-hyung, head of KT’s network technology division, at a press briefing held at KT’s building in central Seoul.
 
The briefing came a day after police arrested two Korean Chinese suspects behind the hacking scheme, which began in early August. Investigators said the hackers illegally modified femtocells — small indoor base stations used to boost mobile signals — by acquiring and tampering with the hardware, allowing the rogue units to masquerade as legitimate KT base stations. KT has now confirmed four illegal femtocells were used in the attack, up from the two initially reported.
 
KT emphasized that cloned phones could not be fabricated solely from the leaked data, as the USIM authentication keys were not compromised.
 
“To create a cloned phone, you need three elements: the subscriber ID, the device ID and the USIM authentication key. The last of these is securely stored only in two places — the chip inserted in devices and KT’s internal system — and never transmitted over the network. Only derived results are exchanged, not the key itself,” Koo explained.
 
The 5,561 users flagged in the initial report are part of the broader group of 20,000, which was expanded after the investigation revealed additional types of data exposure.
 
Regarding the 362 confirmed micro-payment victims, KT said it is reimbursing all damages. A total of 278 cases have been settled to date, with the remaining 84 cases currently in process.
 
One unresolved question is how the hackers managed to bypass the ARS phone authentication system, which remains under investigation by the police. The system, widely used by Korean telecom companies, verifies users by calling their phones and requiring them to enter numbers during the call to confirm they are the actual device holders.
 
As a protective measure, free USIM replacement and related security services are available to all customers. Additionally, KT plans to personally visit and assist elderly or vulnerable users. For the 20,000 potentially exposed users, the company will also provide three years of complimentary insurance coverage for mobile-based financial fraud losses.
 
KT currently operates about 189,000 femtocells nationwide, with around 160,000 active. The company has already blocked 43,000 units with no connections in the past three months, which will be inspected or removed within two weeks.

BY LEE JAE-LIM [[email protected]]