Coupang theft set to become Korea's worst data crisis raises sober reckoning on cybersecurity

A Coupang delivery truck is parked near a logistics center in Seoul on Dec. 1, 2025. Yonhap
SEOUL, December 01 (AJP) - Korea — a society whose everyday routines run almost entirely online — is grappling with its biggest data crisis to date after e-commerce giant Coupang confirmed that information linked to nearly all of its customers — 33.7 million people, or three out of four Korean adults — had been stolen.

More worrisome is that while previous high-profile breaches this year involved external hacking attacks on wireless carriers and credit-card issuers, the Coupang case points to potential criminal liability if an internal leak by a former employee is confirmed. The incident is expected to hasten sweeping reforms that force digital platforms to prioritize data security over commercial expansion.

Coupang said Sunday that the breach was carried out by a former employee of Chinese nationality who allegedly accessed the company’s systems through overseas servers, noting that "unauthorized access appears to have begun in mid-June." The stolen information includes names, email addresses, mobile numbers, and home addresses.

It marks the biggest data breach in Korea in more than a decade, since the 2011 Cyworld–Nate incident that affected about 35 million users.

With Coupang's monthly active users (MAU) estimated at 34 million and the domestic e-commerce population at roughly 39 million, experts warn the breach may affect "virtually everyone." The company initially reported only 4,500 compromised accounts on Nov. 18, but revised the number upward 7,500-fold within nine days — prompting warnings that further undisclosed cases may still emerge.

The breach also contrasts sharply with recent attacks on telecom operators such as SK Telecom and KT, which involved sophisticated external intrusion rather than insiders.
 Graphics by AJP Song Ji-yoon
SK Telecom suffered a large-scale breach involving USIM authentication data in April, affecting more than 23 million subscribers. The company rejected a state proposal to compensate victims 300,000 won ($204) each and has already spent more than 1 trillion won addressing the fallout.

At KT, hackers installed illegal femtocell devices — small radio units that act as fake cell towers — to intercept verification text messages and trigger unauthorized micro-payments. Hundreds of victims have filed criminal complaints. Police and the Korea Communications Commission are investigating.

Game developer Netmarble also confirmed last month that the personal information of about 6.11 million users was compromised in a cyberattack targeting its PC-based game portal. Leaked information included names, birth dates, and encrypted passwords.

Taking together Coupang's 33.7 million victims, SK Telecom's 23.24 million, and Netmarble's 6.11 million, analysts estimate that more than 80 million data records have already leaked in 2025 alone across platforms, telecoms, gaming services and card-payment networks — underscoring pervasive vulnerabilities across nearly all digital industries.
 Graphics by AJP Song Ji-yoon
Experts point to chronic underinvestment in cybersecurity as the root cause of repeated failures. According to data from the Korea Internet and Security Agency, based on disclosures by 773 listed companies with annual revenue above 300 billion won, the average share of IT budgets devoted to security was only 6.29 percent last year, remaining below six percent for four straight years.

U.S. companies, however, allocate 13.2 percent on average — more than twice the Korean level.

Among major domestic players, SK Telecom invested 4.6 percent of its IT budget into security, lower than KT (6.3 percent) and LG Uplus (7.4 percent). Samsung Electronics spent the most in absolute terms at 356.2 billion won, but security accounted for only 0.12 percent of revenue. LG Electronics was at 0.03 percent, while major banks KB Kookmin and Shinhan were at 0.08 percent. Platform operators also posted low ratios: Coupang (4.6 percent), Naver (4.5 percent), Kakao (4.3 percent), and Woowa Brothers (4.1 percent).

"The current level of security spending — around six percent — is clearly insufficient; experts recommend closer to nine percent," said Kwon Hun-yeong, professor at Korea University's School of Cybersecurity. "These incidents reveal systemic vulnerabilities across multiple layers of national digital infrastructure. Authorities fail to fully trace origins." Kwon added that Korea needs a national manual to identify and prioritize the systems most critical to safeguarding against attacks.

According to the Personal Information Protection Commission (PIPC), 451 breaches between 2021 and July 2025 exposed 88.543 million personal records, with average penalties of 700 million won, and administrative fines of just 6.17 million won per incident, a level critics say is too low to deter negligence.

The commission plans to require businesses to allocate at least 10 percent of their total IT budgets to data protection by 2027, and 15 percent by 2030.

"We are considering incentives for companies that meet the minimum cybersecurity investment threshold," a PIPC official said. In the U.S., governments support cybersecurity spending with tax deductions of up to 15.8 percent for technologies such as AI-based threat detection and encryption, and provide payroll-tax relief of up to $500,000 for small businesses.

Coupang shares fell as much as 7.5 percent in after-hours trading, sliding from $28.16 to about $26.06 following the disclosure.
Kim Hee-su Reporter khs@ajupress.com