South Korea Lawmaker Moves to Tighten IMSI Protections After LG Uplus Exposure

A South Korean lawmaker is moving to tighten protections around telecommunications user identifiers after security concerns about IMSI numbers linked to phone numbers surfaced at LG Uplus. On the 17th, Choi Min-hee, a member of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, said she would draft a law aimed at safeguarding user identification information.

IMSI, or International Mobile Subscriber Identity, is a unique number used in mobile networks to identify subscribers. Under the 3GPP standard, IMSI is typically composed of a country code, a network code, and a subscriber identifier. In Korea, three carriers have taken different approaches: SKT reportedly assigns IMSIs via random sequences; KT uses serial numbers supplied by SIM manufacturers; LG Uplus, it has been revealed, uses the last 10 digits of the user’s phone number as part of the IMSI.

The disclosure followed a tip from a white-hat hacker in January about the potential exposure of up to 11 million LG Uplus IMSI values if revealed publicly. Choi said the information would be handled carefully in coordination with the Ministry of Science and ICT, the Personal Information Protection Commission, and the Korea Internet & Security Agency (KISA) to prevent immediate risk while measures are prepared.

Choi’s proposed legislation would add IMSI-like identifiers to the scope of protection under the Telecommunications Business Act and the government’s broader plan for managing telecommunications number resources. The aim is to prevent any inference of customer personal information during the allocation and management of numbers, extending stronger safeguards to IMSI and related identifiers.

The lawmaker emphasized rapid action to prevent a recurrence and to gain public trust. She urged LG Uplus to move quickly to reassure customers, while calling on the Ministry of Science and ICT to oversee risk management and ensure no new damage occurs as a result of the incident.

LG Uplus has announced that, starting April 13, it will replace SIM cards for all customers at no charge and reset devices to adopt a random IMSI system. The company says the move is intended to bolster security and align with the broader protection measures being discussed in policy circles.

Why this matters beyond Korea: IMSIs and other unique telecom identifiers are global touchpoints for personal data and subscriber tracking. For U.S. readers, tighter protections have implications for cross-border privacy standards, the security of roaming and international messaging, and the resilience of the global SIM supply chain amid a broader shift to eSIM and next-generation networks. If identifiers can be linked to individual identities, it raises concerns about surveillance, fraud, and data sharing across borders, potentially prompting similar policy responses in allied countries and influencing how telecom operators, device makers, and regulators cooperate on security and privacy.