[Insight & Opinion] The Coupang Personal Data Leak Raises Critical Questions

The Coupang personal data leak incident is not merely a technical mishap. Following the SK Telecom leak, this repeated event raises questions about how seriously our society takes the 'basic defenses of the data era.' If we attribute the problem solely to technology, the outrage will continue to repeat. We must examine the underlying structure.

First, there is the risk posed by outdated computer systems. Most security incidents do not occur in companies using the latest technology, but rather in those with old servers and programs that are left untouched simply because they "work fine." A patch is an update that fixes already discovered security vulnerabilities, and if this is delayed, a company's system becomes as good as an open door for hackers. In the Coupang case, suspicions that the use of an outdated Windows operating system and delayed updates were at fault have fueled criticism. Even if a company boasts cutting-edge technology, incidents often stem from these hidden 'old systems.' Why is it that we are tempted to cut costs in the wrong places?

Second, there is the failure of incident response communication. In personal data leak incidents, trust hinges on "how quickly the breach was contained and how transparently it was communicated." Delayed confirmation and unclear notifications breed distrust, leading to additional costs. What is alarming is that many companies detect hacking incidents only long after they occur, and even then, it takes time before customers are informed. This is not a matter of technical capability, but rather an issue of crisis management systems and attitudes. The gap between the initial number of personal data victims reported by Coupang and the ever-increasing tally leaves us stunned.

Third, there is the paradox of regulation. South Korea is a country with extremely strong personal data protection. However, being strict does not necessarily mean being wise. When regulations become excessively complex and ambiguous, companies expend more energy on preparing documents and checking paperwork than on actual security. The reason accidents continue to happen despite strict regulations is that the rules are not designed to fit real-world operations. Regulations intended to protect customers can even crowd out companies' 'core security investments.' We must examine whether Korea's policies are 'Galapagos regulations' that are far removed from global standards.

Fourth, there is a gap in security paradigms. The United States has already shifted to the Zero Trust model, which is based on the principle of "trust no one by default." Even internal employees and those within company servers must have every access verified and authorized. Most Korean companies still operate under the outdated assumption that "the company’s internal environment is safe." While defaulting to trust may have been reasonable in the past, it is no longer valid in an era where information is highly valuable and cyberattacks directly impact business operations.

Now, companies like Coupang can no longer avoid the tough questions. Will they treat personal data as a 'secondary element' or as the 'lifeline' that upholds customer trust? Security is not simply the work of the IT department-it is a survival strategy for the company. Applying security updates promptly, replacing outdated systems, limiting information access strictly to those who need it, and notifying and responding responsibly in the event of an incident are not grand innovations, but the absolute basics. The market will thoroughly turn its back on companies that neglect these fundamentals. This is the essence of the Coupang incident.

People buy trust, not just products. Companies that fail to protect customer information ultimately fail to protect their customers. Whether this incident ends as "yet another episode of outrage" or becomes a "turning point that changes industry standards" depends on how it is handled going forward. If our companies use this event as an opportunity to adopt higher security standards and begin to treat trust as an asset rather than a cost, even a tragic incident can become the starting point for future competitiveness.

Wonkyung Cho, Professor at UNIST and Director of the Global Industry-Academia Cooperation Center

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.