The incident has laid bare the vulnerability of Koreans' private data in a society where virtually every aspect of daily life — banking, shopping, communication, mobility — runs through digital platforms, while exposing corporate and government complacency in safeguarding privacy.
Kakao, operator of the country's dominant messaging platform, said it is upgrading its internal security response processes after this year's repeated data leaks.
"With so many security breaches this year, including Coupang's case, we are re-examining and advancing our overall internal security response processes. We are expanding mock drills based on actual incident scenarios and strengthening monitoring to identify and respond to potential risks earlier," a Kakao spokesperson in charge of security told AJP.
With nearly the entire Korean population relying on KakaoTalk for communication and business transactions, the company is conducting scenario-based infiltration training by hiring white-hat hackers and expanding company-wide security drills to bolster practical preparedness.
Kakao is also stepping up user-side protection. Through its KakaoTalk Wallet, it has been sending cautionary alerts to help prevent secondary damages linked to the Coupang breach. Its government-notification service — which alerts users when overseas direct purchases are made under their name — is designed to detect early signs of identity theft.
Viva Republica, operator of the financial super-app Toss, said it is conducting regular mock hacking exercises, vulnerability scans, and penetration-based safety checks.
"We are meticulously reviewing our security systems across all services. We operate a 24-hour monitoring and response system for detecting anomalies and are prepared to respond immediately if additional measures are needed," a Viva Republica spokesperson said.
Naver, the country's largest internet portal, declined to comment on its latest response measures. The company already maintains dedicated security personnel in its commerce and shopping divisions, overseeing personal data protection from service design to operation. It has also allocated resources to address security vulnerabilities and misuse issues — and stands to benefit from an influx of users if trust in the leading e-commerce platform continues to erode.
While major platforms are tightening internal defenses, the government is also accelerating regulatory updates.
The ruling Democratic Party of Korea is expected to revive efforts to pass the Online Platform Act once ongoing non-tariff negotiations with the United States conclude, according to industry sources. The bill would classify major platform operators — including Naver and Coupang — as dominant market players subject to stricter Fair Trade Commission oversight.
The legislation stalled earlier this year after U.S. officials raised concerns it would disproportionately target American firms such as Google and Meta. But the Coupang breach has given lawmakers fresh political momentum.
President Lee Jae Myung called for stronger penalties and punitive damages mechanisms in the wake of the breach. "We need to strengthen fines and make the punitive damages system a reality," Lee said, referring directly to Coupang.
Coupang has maintained there is no evidence of direct secondary damages so far. But the Korean National Police Agency has urged heightened vigilance, warning of persistent phishing and smishing attempts exploiting the situation.
Meanwhile, Coupang faces class-action lawsuits both in the United States and Korea.
SJKP, the U.S. affiliate of Korea's Daeryun Law Firm, held a press conference in Manhattan on Monday announcing plans to file a punitive damages suit in U.S. courts against the company, which is based and publicly traded in the U.S. while earning money through retail business in Korea. Unlike in Korea, American law allows punitive damages that could yield significantly larger compensation.
Daeryun said it will pursue litigation simultaneously in both countries and is examining whether Coupang properly disclosed the breach to the U.S. Securities and Exchange Commission, as listed companies are required to report major cybersecurity incidents within four business days.
Copyright ⓒ Aju Press All rights reserved.