 Big name data breaches thrust Korea's lax cybersecurity under microscope
Published: 08 Jul. 2025, 17:57
A Cartier exterior advertisement hangs on a department store in Seoul on June 4. [YONHAP]

 
A wave of personal data breaches at global luxury brands in Korea as well as domestic restaurant chains is raising alarms about lax cybersecurity in the country's retail sector.
 
From Louis Vuitton and Dior to Papa John’s and Subway, companies collecting sensitive customer information have failed to adequately protect it as they eagerly gather data for marketing but overlook the responsibility of securing it — often shielded by loopholes in disclosure laws.
 

As retailers shift more services online, even small- and medium-sized food and fashion businesses are building digital platforms to handle orders and payments.
 
That includes collecting names, phone numbers, addresses and credit card details. But many of these firms fall outside the legal requirements to publicly disclose their cybersecurity investments or staffing.
 
Since a 2021 revision to the Act on the Promotion of the Information Security Industry, companies must disclose details like their IT security budgets and dedicated personnel if they are listed on the Kospi or Kosdaq and report over 300 billion won ($220 million) in annual sales or 1 million daily platform users.
 
Papa John’s Korea, Subway Korea and online luxury marketplace Mustit — which all experienced data breaches recently — face no obligations under the rule.
 
A Papa John’s Pizza branch in Seoul on June 27 [YONHAP]

 
The Korean units of global brands that were hit by data leaks between May and early July — including Louis Vuitton, Dior, Tiffany, Cartier and Adidas — are also exempt.
 
Luxury retailers tend to collect highly sensitive data, from occupation and workplace details to purchase histories and serial numbers. Yet their breach responses have fallen short.
 
By law, companies must notify the Personal Information Protection Commission within 72 hours of confirming a data leak. But multiple luxury brands reported the breaches late and failed to alert affected customers promptly. They are also not required to file annual cybersecurity disclosures.
 
The Korea Internet & Security Agency, which operates the public portal for such disclosures, said global companies are exempt because it is "difficult to assess Korea-specific cybersecurity budgets."
 
“Many global brands don’t even appoint a chief information security officer for their Korean offices," a representative from a domestic fashion conglomerate said.
 
The Ministry of Science and ICT is considering expanding the disclosure mandate to cover all listed firms, regardless of revenue. The proposal is part of a broader data protection reform package recently submitted to the presidential office's policy planning committee.
 
“The companies affected by recent breaches lacked cybersecurity staff or investment," Lim Jong-in, professor emeritus at Korea University's Graduate School of Information Security, said. "Their management was clearly inadequate. With hacking methods evolving, similar breaches will likely continue at firms without the proper systems or budget.
 
"The government should partner with telecom and IT firms to offer affordable subscription-based cybersecurity services to smaller businesses."


Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY KIM KYUNG-MI [[email protected]]
