South Korea’s recurring mass data breaches: underinvestment and weak follow-up at the root

South Korea’s not-so-quiet year in cybersecurity: it’s not just Coupang
Many Korean companies still hesitate to invest more in security—and post-incident response often falls short
The React incident that shook the industry: could it expose deeper weaknesses in Korean business?

South Korea’s corporate security practices are coming under heavy scrutiny, as weak defenses continue to draw backlash from the market. A series of large-scale data breaches has hit since the start of the year, and most recently Coupang added fuel to the fire after the personal data of tens of millions of people was leaked, intensifying criticism of how companies handle cybersecurity. Experts say the repeated lapses point to a deeper, long-running problem: chronic underinvestment in security and a complacent attitude toward cyber risk across the corporate sector.

South Korea weighed down by security incidents

According to the retail industry on Dec. 10, Coupang said it became aware on Nov. 18 that personal data tied to about 4,500 customer accounts had been accessed without authorization from outside the company. A criminal complaint was filed on Nov. 25, and the incident was reported to the Korea Internet & Security Agency and the Personal Information Protection Commission. However, a joint probe by the relevant authorities and follow-up internal reviews later confirmed that the number of affected accounts was not 4,500 but roughly 33.7 million. Coupang said the user of the account used to access customer information was a former employee of Chinese nationality who previously worked at the company and has since left and departed South Korea. It has not been confirmed whether the individual personally used the account or whether it was hijacked and used by a third party.

Consumer anxiety is mounting as large-scale personal data leaks continue to accumulate this year. In January, GS Retail said a website hack between Dec. 27 and Jan. 4 exposed seven categories of personal data—including names, gender, and dates of birth—for about 90,000 customers. About a month later, on Feb. 27, the company issued an additional notice saying further analysis of the past year’s records suggested signs that roughly 1.58 million records had been leaked in the attack, marking the first major data breach of the year. In April, SK Telecom suffered a leak affecting about 23.24 million users. The compromised data included not only basic subscriber information but also 25 types of personal data, including identifiers that can be used to pinpoint individuals (such as subscriber identification numbers and device identification numbers). In August, the Personal Information Protection Commission imposed a record-high administrative fine of about $91.9 million over the incident.

In May, job platform Albamon was hit by a cyberattack that leaked 22,473 temporarily saved resumes containing users’ names and mobile phone numbers, and in July, student data was leaked at Daesung Educational Development Institute, an affiliate of Daesung Academy. The following month, in August, an unauthorized KT micropayment case emerged. KT and investigators estimated that personal data and authentication information for about 22,200 customers had been leaked, and that 368 of them suffered losses of about $166,000 due to unauthorized small payments.

Where do the cracks in Korea’s security systems come from?

As these large-scale incidents keep recurring, a core driver is widely seen as South Korean companies’ inadequate investment in cybersecurity. In its 2024 Information Security Survey, released in April after reviewing 6,500 companies nationwide with 10 or more employees, the Ministry of Science and ICT said 87.9% of firms either set aside no budget for information security at all or spent less than 5 million won. In other words, nearly nine out of 10 companies are effectively in a security blind spot. Only about half of companies (49.9%) had allocated any budget for information security. The survey also found that 48.4% had no internal information-security policies, and 67.4% had no dedicated information-security organization.

The staffing shortage is also serious. The ministry said information-security specialist firms plan to hire only 2,029 security professionals this year, down 35.77% from last year’s 3,159. Among South Korean companies overall, just 28.6% have full-time staff dedicated to security work, and even where security personnel exist, 63.6% have them juggling security alongside other duties. Some companies—including construction firms—have even reported in government security disclosures that HR staff are overseeing security functions that require IT expertise.

Weak incident response is another recurring problem. Among companies that experienced an information-security incident last year, as many as 67.7% took no meaningful follow-up action. Even those that responded often opted for limited measures such as building or upgrading security solutions (11.7%), seeking compensation from outsourced management vendors (11.3%), or drafting or revising internal policies (9.3%). The share of incidents that went unreported despite a breach approached 80.4%.

These structural problems have translated into serious vulnerabilities across corporate Korea. In SK Telecom’s USIM-hacking incident, investigators identified poor account management, insufficient encryption of critical information, and the absence of company-wide security governance. KT was found to have identified a mass server infection involving BPFdoor malware last year but failed to report it to authorities and instead tried to conceal it. Coupang, meanwhile, left a former developer’s signing key active, and failed to detect unauthorized access that continued for five months.

Renewed anxiety after the “React” incident

Korean companies’ cybersecurity weaknesses have been steadily fueling public unease, and concerns have flared again in recent days over the “React” incident that has rattled the IT industry. On Dec. 3, Amazon Web Services (AWS) and others confirmed that React, a widely used web development framework, contains a vulnerability dubbed “React2Shell” (CVE-2025-55182). The flaw affects React 19.x and versions 15–16.x of Next.js, a React-based framework. By exploiting it, an attacker can execute arbitrary code on a server without authentication with a single request—potentially deleting or tampering with critical data and even seizing administrator privileges.

The bigger concern is that Chinese advanced persistent threat (APT) groups are moving quickly to take advantage of the weakness. According to AWS, hacker groups such as Earth Lamina and Jackpot Panda—linked to the Chinese government—weaponized the vulnerability and deployed it in the wild within hours of its disclosure. AWS said their campaign is less about sophistication than about rapidly striking a wide range of targets, and that they are pushing proof-of-concept (PoC) code straight into attacks without fully validating it first, in a bid to secure initial access before patches are applied.

That approach is possible because React is one of the web frameworks that dominate global development. According to the global security firm Wiz, more than 40% of cloud environments include Next.js or React instances, meaning even broad, low-precision attacks can still produce a large number of victims. In South Korea, major companies including Toss, Coupang, 11st, and Kakao Pay are also known to use React. If patching and mitigation are delayed, the risk is that Korean services closely tied to daily life—such as payments and e-commerce—could face cascading disruptions.