SEOUL, November 21 (AJP) - Coupang has emerged as the latest flashpoint in Korea's widening cybersecurity crisis, with customer data leaking yet again as major companies — from telecom operators to card issuers — continue to fall victim to preventable attacks under a regulatory system that seldom imposes meaningful penalties.
Coupang said late Thursday that an "unauthorized third party" accessed the personal information of more than 4,500 customers. According to the company's emergency notice, the exposed data included names, email addresses, phone numbers, delivery addresses, and each user's five most recent order records.
The company said it immediately blocked the intrusion route and has so far found no evidence of misuse. It apologized to affected customers and advised them to contact its service center for assistance.
The breach comes amid a series of major security incidents across Korea's telecommunications and financial sectors this year, intensifying concerns over the country's ability to safeguard personal information despite its reputation as one of the world's most digitalized societies.
SK Telecom is preparing for legal disputes over a large-scale USIM-related leak disclosed in April. The company has rejected a state mediation panel's recommendation to compensate the 23 million individuals affected at 300,000 won ($203.28) per person. It has already incurred more than 1 trillion won in costs related to the incident.
KT customers experienced more direct financial losses after illegally smuggled femtocell devices were used to impersonate cell towers, intercept authentication codes, and trigger unauthorized small-sum mobile payments. Hundreds of victims have filed official complaints, and both police and the Korea Communications Commission are investigating the case.
LG Uplus reported suspicious access attempts to its internal network around the same period, resulting in the confirmed leak of 300,000 customer records and fines exceeding 6 billion won.
In the financial sector, Lotte Card suffered a major cyberattack that compromised nearly 300 million customer data files, amounting to about 200 gigabytes of internal records.
Government data points to the scale of the problem. According to the Personal Information Protection Commission, 88.54 million pieces of personal information have been leaked across public and private institutions over the past five years. Public-sector breaches alone rose from 650,000 cases in 2022 to 3.52 million in 2023 and 3.91 million in 2024.
Penalties, however, remain limited. Between 2021 and July 2025, Korea recorded 451 data-security incidents but issued only 87.7 billion won in fines and 2.49 billion won in administrative penalties, averaging just 1,019 won per leaked data entry. Korean law allows fines of up to 3 percent of company revenue, but firms may exclude revenue deemed unrelated to the violation when calculating penalties.
This contrasts sharply with the European Union's General Data Protection Regulation, which permits fines of up to 20 million euros ($23.2 million) or 4 percent of annual global turnover. In 2021, Luxembourg imposed a 746 million-euro fine on Amazon for GDPR violations.
A recent KAIST study found that widely used security plug-ins required by Korean financial and public institutions can themselves become attack pathways. These non-standard programs often conflict with the built-in security architecture of global web browsers such as Chrome, Safari, Edge and Firefox, which follow unified W3C and WHATWG standards designed to maintain consistent security protocols.
The study concluded that the vulnerabilities stem from Korea's continued reliance on proprietary, mandatory security software that can undermine rather than strengthen consumer protection, even as companies claim compliance with existing regulations.
Copyright ⓒ Aju Press All rights reserved.
