South Korea’s telecommunications operator LG Uplus is facing growing regulatory scrutiny after its SIM card security practices triggered concerns about potential exposure of customer data, prompting calls for stricter oversight and possible restrictions on new sign-ups.
The controversy centres on the company’s use of subscriber identity module (SIM) configurations that reportedly embedded customers’ phone numbers within the international mobile subscriber identity (IMSI), rather than applying randomised identifiers, a method widely adopted by global carriers to strengthen privacy protection.
Brandspur Tech & Science Desk reports that the issue gained momentum after security experts and lawmakers warned that non-randomised IMSI values could make it easier for malicious actors to identify and track mobile users, especially since IMSI data transmitted between devices and base stations is not encrypted.
In response to the backlash, LG Uplus has announced a nationwide programme to replace or update SIM cards for its entire user base beginning April 13. The initiative is expected to cover as many as 17 million lines, including primary subscribers, secondary devices and budget handset users.
The company said the decision followed an internal review launched after a major cyberattack against rival carrier SK Telecom in 2025, which exposed weaknesses in legacy mobile network security frameworks. LG Uplus indicated it had been preparing countermeasures since the latter half of last year.
However, the delayed rollout of the replacement plan has drawn criticism from policymakers, who questioned why corrective action was not implemented earlier and whether the operator is adequately prepared to manage the logistics of replacing millions of SIM cards within a short timeframe.
During a parliamentary committee session in Seoul, several lawmakers urged the government to consider temporary suspension of new customer registrations until the SIM transition process stabilises, arguing that allowing new sign-ups could create additional operational and security complications.
Officials also pressed for independent verification of the updated IMSI configuration and stronger compliance with national information security certification standards, warning that millions of users could be exposed if systemic vulnerabilities are not addressed.
The Ministry of Science and ICT has taken a more measured stance, stating that while embedding phone numbers in IMSI structures may reduce security robustness, there is currently no confirmed evidence of a data breach and therefore no clear legal grounds for punitive action against the company.
LG Uplus has yet to release a detailed schedule for the SIM replacement campaign or clarify how it will manage supply and distribution across its retail network. The company’s chief executive declined to comment publicly on whether it would voluntarily suspend new subscriptions while the security overhaul is underway.
The unfolding situation underscores broader concerns within the telecommunications industry over legacy network architectures and the growing pressure on operators to modernise subscriber identity protections amid rising cyber threats and heightened regulatory expectations.
