OPINION | Korea's AI ambition falters where it matters most: data security

South Korea speaks confidently of becoming an “AI powerhouse,” yet the foundation of that ambition — data governance — remains dangerously fragile. The reported leak of 33.7 million Coupang user records is not just another corporate security lapse. It exposes a deeper structural failure in how the country understands, designs and governs data itself. 

Each time a major breach occurs, authorities respond with familiar language: tougher oversight, stricter certification, stronger encryption. But the pattern repeats. The reason is simple. Korea’s security framework remains focused on outer defenses — access controls, compliance checklists and perimeter protection — while neglecting the core of the system: how data are structured, classified and controlled inside databases.

In the digital era, data are no longer a byproduct of administration or commerce. They are a strategic national asset, increasingly concentrated in large cloud-based systems. That reality demands a shift in thinking, from “protecting networks” to governing data itself. Yet repeated government network outages and recurring large-scale leaks suggest that this shift has yet to occur. 

The Coupang case illustrates the problem starkly. Reports indicate that tens of millions of records — amounting to several terabytes — were accessed over months. Such a volume could not plausibly have been extracted through a simple external intrusion or a personal device. It points instead to access at the core database level, what might be called the system’s “inner room.” 

This matters because database security is fundamentally different from general information security. It is not about building higher walls at the entrance, but about deciding — at the design stage — who can see which data, under what conditions, and with what technical limits. In advanced systems, high-value data are separated from general data and stored in dedicated databases with multiple clearance levels. Even if someone penetrates the network, they cannot read or copy sensitive data without the appropriate authorization. 

This is why database security has long been treated as a national-security issue in countries such as the United States. Multi-level security architectures, originally developed for defense systems, classify data by sensitivity and strictly limit access rights. Users cannot read or write information above their clearance level, and abnormal access attempts are automatically blocked and logged. 

South Korea, by contrast, still operates largely on a “front-door security” model. Once inside the system, internal users may retain excessively broad privileges. Reports that a single account could access tens of millions of personal records — if accurate — point to a breakdown of basic principles such as separation of duties and least-privilege access. Audit logs, meant to detect abnormal behavior, appear to have functioned more as formalities than as real safeguards, given that unusual activity allegedly went unnoticed for months. 

This regulatory blind spot is not accidental. Oversight has focused on visible security measures and certification processes rather than on the substance of database architecture. Even parliamentary reviews tend to stop short of examining how data are actually structured and governed. As a result, database security remains a gray zone — acknowledged rhetorically, but weakly regulated in practice. 

The distinction between “protection” and “security” matters here. Protection refers to outward defenses and compliance checklists. Security, in contrast, is a matter of national resilience. Treating database security as a subset of general IT protection understates its strategic importance. It requires its own legal basis, supervisory authority and professional standards. 

This also exposes the limits of the current “chief information security officer” model. Database governance demands specialized expertise that cannot be absorbed as a side function. What is needed is a separate framework — and accountability structure — dedicated to data security, including legally defined responsibilities and enforcement powers. 

Nor should “data” be treated as a vague or all-encompassing term. A database is not an Excel file. It is a structured system governed by a data model, and its security depends on how that model is designed. True data governance requires expert architects who define how information is classified, linked and accessed across systems. Without such design discipline, encryption alone offers little protection. 

Indeed, many firms quietly avoid encrypting core databases, citing performance concerns. But those concerns often stem from poor data architecture. Properly designed systems can handle encryption without meaningful slowdowns. Encryption becomes ineffective only when insiders already have unrestricted privileges — a design failure, not a technical inevitability. 

The same logic applies to Korea’s most sensitive identifier, the resident registration number. After decades of leaks, encrypting it offers limited protection if it continues to be widely used across the private sector. Preventing harm now requires institutional reform, including restricting its usage and redesigning identity systems for the internet era. 

Slogans about a “data dam” or an “AI powerhouse” ring hollow if the databases holding that data remain poorly governed. Artificial intelligence cannot be built on structurally weak foundations. Without robust data design, access control and accountability, AI simply scales existing vulnerabilities. 

The Coupang case should therefore be treated not as an isolated corporate failure, but as a warning about systemic weakness. Database security must be elevated to a core policy domain — with its own legislation, oversight and professional standards. Only then can Korea claim to be serious about data sovereignty, digital trust and the foundations of an AI-driven economy.