my timesThe Korea Times

LG Uplus call breach puts on-device AI security claims under scrutiny

Listen
The LG Uplus artificial intelligence call assistant service ixi-O is displayed on a phone in front of the company's headquarters in Yongsan District, Seoul, Sunday. Yonhap

The LG Uplus artificial intelligence call assistant service ixi-O is displayed on a phone in front of the company's headquarters in Yongsan District, Seoul, Sunday. Yonhap

LG Uplus is facing mounting questions over the security architecture of its artificial intelligence (AI) call assistant service ixi-O, following a recent data breach incident that leaked the call data of its users.

The breach revealed that call information, previously promoted as being securely contained within users’ smartphones as an on-device service, had in fact been routed through and temporarily stored on the company's servers, undermining its core security claims.

The controversy erupted after the telecom company disclosed Friday that calling information of 36 ixi-O subscribers was leaked to 101 other users following a cache-setting error during a routine system update.

Exposed details included recipients’ phone numbers, call timestamps and AI-generated call summaries.

LG Uplus said it confirmed that personal ID numbers, such as social security or passport numbers, or financial information were leaked and has since fixed the configuration error, blocked further exposure. The company said it notified affected users.

The incident has heightened scrutiny of LG Uplus’ product architecture, prompting skepticism about how call data marketed as being processed securely on-device ended up exposed.

While the company had highlighted ixi-O’s local processing as a core security advantage, its acknowledgment that some call information was temporarily stored on servers has fueled concerns that the marketing overstated the actual extent of on-device functionality.

Even if some data is briefly transferred through a server, it should still be unreadable without proper verification, making the exposure of users’ call summaries to other users a serious red flag on whether encryption and access-control protections were applied consistently across its features.

Screens demonstrating LG Uplus' artificial intelligence agent ixi-O at its headquarters in Yongsan District in this undated photo / Korea Times file

Screens demonstrating LG Uplus' artificial intelligence agent ixi-O at its headquarters in Yongsan District in this undated photo / Korea Times file

Responding to the backlash, LG Uplus said the incident prompted widespread misunderstanding because its marketing had strongly emphasized the app’s on-device AI capabilities, giving users the impression that all features operated entirely on their phones.

The company clarified that ixi-O does rely on on-device processing for core functions such as converting voice calls into text, displaying live captions and detecting voice phishing attempts, with audio never being uploaded in full to its servers.

However, the company explained that some supplementary features still require server processing. In particular, the call-summary function sends the transcribed text to the cloud for summarization and stores the resulting summary for up to six months, a period the company said is necessary to ensure continuity when users replace their smartphones or reinstall the app.

It noted that all stored summaries are encrypted and the original text files are deleted immediately after the summary is created.

LG Uplus also said it is testing a lightweight version of LG AI Research’s AI model EXAONE, which would allow call summaries to be generated entirely on-device in the future, pledging to thoroughly review the current operations of ixi-O.

The Personal Information Protection Commission is investigating the data breach after the company reported it.