South Korean telecom operator LG Uplus is preparing to replace millions of SIM cards after it emerged that it had embedded users’ actual phone numbers in the International Mobile Subscriber Identity (IMSI), which is used to authenticate subscribers.

Unlike the usual practice of using random numbers to generate IMSIs, LG Uplus has been incorporating parts of customers’ actual phone numbers into these identifiers since the early days of its 4G rollout in 2011.

While IMSIs are not directly exposed in normal use, security experts warn that predictable identifiers can become risky when combined with other data, potentially facilitating tracking, profiling, or even SIM cloning.

Korea Times quotes an official saying that, as subscriber identity information sent from a cell phone to the base station is not encrypted, randomization is essential.

“Even though there were two opportunities to update the system – when the IMSI standard was set in 2004 and again during the LTE rollout – the company ignored them,” said the official.

Scrambling to contain the backlash, the company announced it will provide free SIM replacements or software-based security updates to all users starting April 13th, 2026.

According to reports, South Korea’s Ministry of Science and ICT estimates the move will impact up to 17 million subscribers.

Regulatory (in)action

Although LG Uplus’s approach did not violate any regulations, as there is no clear provision in current laws on how the IMSI should be designed, the issue has escalated into a wider policy debate.

Reports suggest the authorities are considering whether to freeze new subscriptions until the issue is fully addressed. Some lawmakers have questioned why the company is waiting until April 13th to fully initiate the replacements. They argue the delay would make it inconvenient for new subscribers, who may have to change SIM cards again after a short period.

Authorities, however, have stopped short of taking immediate action. Instead, the Ministry of Science and ICT has signalled caution, noting that no confirmed data breach has occurred, and that current laws may not support punitive measures in this case.

This isn’t the first time a South Korean telecom operator has announced a SIM replacement program. Last year, SK Telecom also executed a similar program after admitting a major data breach.

Comparing the SK Telecom and LG Uplus replacement programs, an official noted that the two cases differ, as there was a clear hacking incident in the former.

"In the current situation, my understanding is that we are not at a stage of specifically reviewing a suspension of new subscriptions for LG Uplus," the official said.