Home > Opinion > Columns

The risks behind convenience

Published: 03 Dec. 2025, 00:03

Yum Tae-jung

The author is the editor of National News at the JoongAng Ilbo.

At this point, the idea that Koreans’ personal data has become a kind of global public good no longer sounds like a joke. This year alone, major breaches have hit SK Telecom, KT, Lotte Card and now Coupang, which leaked information belonging to more than 33 million users. The methods vary. SK Telecom suffered a SIM data breach through server hacking. KT faced theft through miniature mobile base stations. Lotte Card was struck by a payment-server intrusion. This time, suspicion has centered on an insider. Reports say the Chinese national identified as a key suspect retained authentication keys that allowed internal access even after leaving the company. It is astounding. The personal data of Korean consumers — now effectively a global “public good” — will continue to be used for marketing and cybercrime around the world.

The reporter holds up a Coupang Fresh Bag in front of the company headquarters in Songpa District, southern Seoul, on Dec. 1. [YONHAP]

Coupang sent customers an alert only after the breach received extensive media coverage. My own text message arrived on Saturday at 6:43 p.m. The title read “Notification of Information Exposure.” Not an apology, not an acknowledgment of a breach, but a “notification.” It felt evasive, as if the wording sought to minimize responsibility. The difference between “exposure” and “leak” is not semantic. “Exposure” refers to information becoming visible or accessible, a state that can obscure accountability. A “leak” means information has been taken or transmitted externally, directly tying the event to fault and security failure.

Coupang CEO Park Dae-jun is seen attending a parliamentary inquiry by the National Assembly’s Science, ICT, Broadcasting and Communications Committee at the National Assembly building in Yeouido, western Seoul on Dec. 2. [YONHAP]

Coupang said the “exposed” information included customers’ names, email addresses, delivery address books and order histories. The company also claimed that “card information and login-related data such as passwords were not exposed.” It is difficult to take that assurance at face value, and the unease remains. Every dawn, the company’s Fresh boxes pile up in apartment corridors, a visible symbol of its market power. Against that backdrop, hearing that the personal data of more than 33 million people was compromised is not merely unsettling. It feels dangerous. Financial authorities issued a consumer alert, and the president ordered a full investigation and strong accountability.

Coupang reportedly failed to detect any signs of a breach for five months. It is hard to understand how the internal security system of a company with annual revenue exceeding 50 trillion won ($34.1 billion) could be so lax. At that scale, robust internal controls and anomaly detection systems for personal data should be fundamental. The only conclusion is that they were not operating effectively. The company grew rapidly over the past few years but failed to build systems that match its size.

Even so, Coupang holds the ISMS-P certification, Korea’s main standard for information and personal data security. The certification is supposed to verify that an organization’s protective measures are adequate and that its information security system is being properly managed. Major hospitals, universities with more than 10,000 students, communications firms with more than one million users, and companies in the information communication sector with more than 10 billion won in annual revenue are required to obtain it. The program evaluates 101 items, from organizational security frameworks to protection measures. The Ministry of Science and ICT, the Personal Information Protection Commission, the Korea Internet and Security Agency and the Financial Security Institute operate it with strict oversight, according to the government’s 2025 National Information Security White Paper.

Given that, how did such a breach happen at a company that cleared the process? The likely explanations are either that the certification is far less rigorous than claimed or that Coupang failed to provide its full operating details during the review. Some argue that internal theft is inherently harder to prevent because certifications often focus on external threats such as hacking. That argument is unpersuasive. Strict internal controls are basic requirements, not optional safeguards.

After the SK Telecom breach, the government held an emergency meeting on major data processors and promised stronger inspections, better monitoring, and more proactive prevention. It is unclear what tangible changes have actually been implemented since then.

Korea needs a stronger digital breakwater across society. As this year’s serial leaks show, the methods used for data theft are becoming more sophisticated. Generative AI is enabling more precise, personalized attacks. Security standards must rise accordingly. Companies with more than 10 million users, such as large e-commerce or platform firms, may need a separate set of requirements.

A Coupang user changes their password on Dec. 1, after reports surfaced that customer information for over 33 million accounts have been leaked from the company. [NEWS1]

We increasingly appear trapped in a digital panopticon. Our social media footprints, login patterns, search histories and purchase behavior are constantly collected and analyzed by massive technology platforms. Many users wish to escape that surveillance, yet doing so is nearly impossible. A single click or payment triggers a chain of automated transactions — hugely convenient, undeniably efficient. But the more convenient the system becomes, the more complex and risky what lies behind it grows.

Convenience carries hidden costs. Those risks must be recognized, planned for and guarded against — not after the next breach, but now.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.