Home > National > Social Affairs

Number of personal info leaks may reach all-time high, already at 311 cases as of September

Published: 09 Dec. 2025, 14:50

Park Dae-jun, the CEO of Coupang, bows his ahead in apology to lawmakers at the National Assembly’s Science, ICT, Broadcasting and Communications Committee meeting in western Seoul on Dec. 2. [LIM HYUN-DONG]

The number of personal information leaks reported in Korea in the first three quarters of this year has already surpassed the total reported for all of last year, raising concerns that this year could see an all-time high of such incidents.

According to data submitted to People Power Party lawmaker Park Choong-kwon by the Personal Information Protection Commission (PIPC), 311 personal information breach cases were reported between January and September. This exceeds the 307 cases reported in all of 2022 and nearly doubles the 163 cases reported in 2021. It also approaches the five-year high of 318 cases in 2023.

With December still left, 2025 is on track to become the worst year in terms of data leaks.

In addition to the volume of cases, the scale and frequency of major breaches have heightened public concern.

In January, GS Retail disclosed that a cyberattack between Dec. 27, 2024, and Jan. 4 this year led to the leak of personal information — such as names, gender and birthdates — of approximately 90,000 customers. A month later, further analysis found evidence that the number could actually be around 1.58 million cases instead, marking the year's first large-scale breach.

In April, SK Telecom suffered a massive breach that exposed the data of approximately 23.24 million users — nearly half the population of Korea. The leaked information included 25 types of personal data, including sensitive information. In response, the PIPC in August imposed a record 134.8 billion won ($91.6 million) fine on the telecom provider.

SK Telecom CEO Ryu Young-sang bows in apology during a press conference on the hacking incident and the company’s response at the SKT Tower in Jung District, central Seoul, in July. [NEWS1]

In May, job search platform Albamon was hacked, resulting in the leak of 22,473 draft resumes containing users’ names and phone numbers. In July, an affiliate of Daesung Hagwon, one of the largest cram schools in the country, reported a student data leak. In August, a small unauthorized billing scam involving KT and about 20 rogue femtocell devices led to the leak of approximately 22,200 users' information. Among them, 368 suffered unauthorized microtransactions totaling around 243.2 million won.

Then in November, Coupang experienced what has been called the worst breach in Korean history. Information from 33.7 million user accounts — including phone numbers, addresses and in some cases, even front door PIN codes — was leaked. Victims are pursuing a class action suit against the company.

That same month, a hacking incident at Lotte Card exposed the data of 2.97 million customers. Among them, 280,000 lost particularly sensitive data, including credit card and CVC numbers and resident registration numbers.

In response, the Ministry of Science and ICT and the PIPC announced measures to tighten the ISMS-P certification system, Korea’s main standard for information and personal data security. Under the revised plan unveiled on Saturday, postincident reviews will be conducted when breaches occur at certified companies, and certification will be revoked if major flaws are found.

The Personal Information Protection Commission holds a meeting on revising the ISMS-P certification system, the country’s only government-run information security and personal data protection framework, at the government complex in central Seoul on Dec. 6. [NEWS1]

However, critics argue the reforms fall short, noting that Coupang and Lotte Card were both ISMS-P certified when the breaches occurred. Some have called the certification system meaningless.

Experts say that companies must take more proactive steps to secure user data, and that Korea’s entire data protection framework needs an overhaul.

“Companies often view personal data protection purely as a cost and are content with merely meeting legal standards,” said Hwang Suk-jin, a professor at Dongguk University’s graduate school of international information security. “Yet these incidents keep happening because of systemic weaknesses that proper frameworks could have prevented.”

He continued, “Coupang, for example, holds seven [security] certifications but has suffered four data breaches since 2021. Stronger measures are needed, including revoking and permanently denying recertification for serious violations.”

“The PIPC and the Science Ministry operate separate certification standards, and frequent staff rotations weaken institutional expertise,” said Park Choon-sik, a professor of cybersecurity at Seoul Women’s University. He suggested establishing a dedicated cybersecurity agency to improve Korea’s data protection infrastructure.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY KIM CHANG-YONG [[email protected]]