Three Alarms and No Answer – or Why Telecom Security Keeps Us Awake

April and May are packed with major industry events, with GSMA WAS #21 and International Telecoms Week (ITW) being two of the biggest. At the recent WAS in Dubai, Johannes Opitz, Ph. D. and I shared Deutsche Telekom's perspective on roaming security. The feedback from attending MNOs was very positive, with broad consensus on how critical this issue has become.

As it so happened, just after the WAS discussion two major incidents hit the headlines: data breaches at both a leading South Korean telecom provider and a communications company operating in Africa. And now, a third alarm has sounded, this time in Europe. Of course, many are looking for both an explanation and answers to how such situations can be avoided.

The reality is that even the most protected operators can fall victim to sophisticated attacks. It’s not always about having the wrong firewall or missing a patch. Sometimes, it’s about timing, exposure, and yes – luck. These two events have shown us once again that securing assets is an ongoing process, and no one is 100% immune.

1. South Korean Telecom Breach (April 2025)

One of the largest attacks in recent years targeted the Home Subscriber Server (HSS) of South Korea’s telecom leader. Personal data of approximately 23 million subscribers was extracted, a total of nearly half of South Korea's population. Stolen information included phone numbers, IMSI numbers, USIM keys, and more. Access was possibly gained via a VPN service with suspected links to a China-based hackers’ group.

The company detected suspicious activities late on the evening of April 18. An infected device was already detected and isolated on April 19, but the investigation is still ongoing. While the final impact is still unclear, we already know that 250K customers have churned until now. A loss of 2.5M subscribers and $5 billion over 3 years has been forecasted. In addition, there is of course massive reputational damage.

2. African Communication Company Data Exposure

Just after the breach in South Korea, an African communications company reported unauthorized access to subscriber data in unspecified African markets. Details remain confidential, so it’s more difficult to analyze this case. There has been no clear disclosure on the attacking country, method, or impact, but the company confirmed the breach and has started an in-depth investigation. At the time of the initial announcement, they claimed that billing and financial services were not impacted but peripheral system vulnerabilities were exposed.

3. Major international Group Location and Call Data Leak (May 2025)

Most recently, a significant privacy issue was uncovered at a very big mobile group headquartered in Spain, impacting the management of  customer location and call data within  its 4G infrastructure. Unlike breaches caused by  external hacking,  this incident arose from an internal misconfiguration of core network services – specifically within the Gateway Mobile Location Centre (GMLC). According to independent researchers, the group’s systems permitted unauthorized access to real-time user location and call activity through a poorly protected interface. This vulnerability allowed individuals with basic telecom knowledge and access to SS7 or Diameter signaling to track users across the UK without their knowledge or consent.

Although no widespread abuse has yet been confirmed, the potential consequences are deeply concerning. This incident underscores how configuration errors and protocol exposure, rather than explicit code flaws or malware, can pose significant risks to customer privacy. It serves as a wake-up call for European operators who often view themselves as well-protected against such threats.

So, three major cases within some weeks. That makes the key takeaways from the earlier discussion about security– which involved almost all big players – all the more timely and relevant: - Legacy systems are still in place and are highly vulnerable. - Security is an ongoing strategy and is never truly finished. - Peripheral systems matter, they are often the weakest link in the chain.

Configuration and protocol-level  can be equally dangerous as malicious intrusion. These stories aren’t about isolated mistakes. They’re about the reality of operating in today’s threat landscape. You can have the best tools and still be caught off guard. What matters most at that point is to respond with speed, transparency, and a desire to learn. Because sometimes, the insights acquired are as important as the protections already in place.