At the heart of the issue is the company’s handling of subscriber identity module (SIM) configurations. Unlike the more secure, randomized systems widely used by global carriers, LG Uplus reportedly embedded customers’ phone numbers directly into the international mobile subscriber identity (IMSI). This approach has raised red flags among experts, who warn it could make users more vulnerable to tracking or identification by malicious actors.
The concern stems from the nature of IMSI data itself. Because it is transmitted between mobile devices and network base stations without encryption, predictable or non-randomized identifiers can potentially be exploited. Security analysts argue that embedding phone numbers within IMSI structures undermines a key layer of privacy protection that modern telecom systems are expected to uphold.
The issue gained wider attention following reports by BrandIconImage and subsequent warnings from lawmakers, who highlighted the broader implications for user safety. The debate has since evolved into a regulatory matter, with calls for tighter oversight and even temporary restrictions on the company’s operations.
In response, LG Uplus has announced a nationwide SIM replacement and upgrade programme scheduled to begin on April 13. The initiative is expected to affect approximately 17 million connections, spanning primary subscribers, secondary devices, and users of budget mobile services. The company says the move is part of a broader effort to strengthen its network security framework.
According to LG Uplus, the decision followed an internal review launched in the wake of a major cyberattack on rival operator SK Telecom in 2025. That incident exposed vulnerabilities in legacy telecom infrastructure and appears to have prompted industry-wide reassessments of security practices. LG Uplus maintains that it has been preparing corrective measures since the latter half of last year.
However, the timing of the rollout has drawn criticism. Policymakers have questioned why the company did not act sooner, especially given the known risks associated with outdated SIM configurations. There are also concerns about whether LG Uplus can effectively manage the logistics of replacing millions of SIM cards within a compressed timeframe.
During a recent parliamentary committee session in Seoul, several lawmakers proposed temporarily halting new customer registrations until the transition is complete. They argue that continuing to onboard new users during the upgrade process could complicate operations and increase exposure to potential risks.
Regulators are also pushing for independent verification of the revised IMSI structure, along with stricter adherence to national information security certification standards. The underlying concern is that without thorough validation, systemic vulnerabilities could persist, potentially affecting millions of users.
For its part, the Ministry of Science and ICT has taken a more cautious position. While acknowledging that the SIM configuration approach may weaken security robustness, the ministry notes that there is currently no confirmed evidence of a data breach. As a result, it says there are no immediate legal grounds for punitive measures against the company.
LG Uplus has yet to provide a detailed execution plan for the SIM replacement programme, including how it intends to handle supply chain demands and distribution across its retail network. The company’s chief executive has also not indicated whether it will voluntarily suspend new subscriptions during the transition period.
The situation highlights a broader challenge facing the global telecommunications industry: the need to modernize legacy systems in the face of evolving cyber threats. As regulatory expectations tighten and digital risks grow more sophisticated, operators are increasingly under pressure to adopt stronger safeguards for subscriber identity and data protection.