The National Assembly Research Service issued a review suggesting that LG Uplus' method of operating its subscriber identity number (IMSI) system may violate the Personal Information Protection Act.

According to a review titled "Review of the Personal Information Protection Act related to LGU+ IMSI" that lawmaker Kim Jang-gyeom (김장겸) of the People Power Party received from the service on April 14, an IMSI is hard to use on its own to identify a specific individual. But it could become highly likely to identify a person if combined with a carrier's subscriber information. The service said that if, like LG Uplus, the IMSI structure reflects phone numbers, it is highly likely to qualify as personal information.

An IMSI is a value used to identify subscribers when connecting to a mobile network. LG Uplus has assigned IMSIs reflecting customers' phone numbers since 2011. The service said, "An IMSI effectively comes to have identification power equivalent to a phone number," adding, "It may be assessed as personal information even by personal information processors that are not telecommunications companies."

The Personal Information Protection Commission also conveyed in a reply sent to Kim's office that the reasoning of court precedents recognising the personal-data nature of IMEI, a device identifier, could be applied to IMSI. This conflicts with LG Uplus' explanation that IMSI itself is not personal information.

The service also said of LG Uplus' IMSI design that it "could be assessed as not sufficiently fulfilling the obligation to take safety measures under the Personal Information Protection Act." Personal information processors must take protective measures to prevent loss, theft and leakage. But it said LG Uplus' IMSI design structure may be insufficient for securely storing and transmitting personal information. If a violation of the safety-measures obligation is recognised, it could be subject to an administrative fine of up to 30 million won.

It also offered an interpretation that using phone numbers in IMSI could amount to using personal information beyond its intended purpose. It said that using the phone numbers of subscribers switching carriers in IMSI could be seen as use beyond the original collection purpose. The service said, "It could be viewed as within the scope of providing telecommunications services, but there may also be a possibility it is interpreted as use beyond the purpose, given there is no technical necessity to use phone numbers in IMSI design."

The service said, however, that assigning phone numbers and IMSIs to new subscribers itself is not "collection" of personal information obtained from outside, but could be seen as part of a carrier's process of generating numbers. It said separate review is needed on whether regulations related to personal-information collection apply.

LG Uplus is taking steps to provide free SIM replacements or updates for all customers to randomise IMSI values. But the service pointed to the company's review of an IMSI conversion plan since June 2025 and said it may have already been aware of the issue.

Kim said, "LG Uplus is evading responsibility for managing personal information under the pretext of security concerns," and added, "Since the National Assembly Research Service and the Personal Information Protection Commission have also confirmed the possibility of infringement, no further excuses will work."

LG Uplus said, "IMSI falls under general personal information, but since it has not been leaked or exposed externally, it is difficult to see a violation of the Personal Information Protection Act." It added, "Even if it is exposed, if the encrypted authentication key (KI) is not leaked there is no risk of cloned phones and the case does not constitute a violation of the safety-measures obligation under the Personal Information Protection Act."