South Korea Fortifies Data Security After Coupang Breach: New Rules for Mandatory ISMS Certification & Tougher Measures

South Korea Responds to Coupang Breach with Sweeping Data Security Reforms

South Korea is set to significantly enhance its information security regulations in direct response to a massive data breach that exposed the personal information of over 33 million customers of e-commerce giant Coupang. This decisive action, announced by the government on Saturday, aims to rebuild public trust and prevent future security lapses in a nation celebrated for its advanced information technology infrastructure.

Urgent Government Response to Growing Cyber Threats

The Personal Information Protection Commission (PIPC) and the Ministry of Science and ICT (MSIT) convened an urgent interagency meeting to address the escalating concerns surrounding digital privacy. The Coupang incident, where sensitive customer data was leaked and remained undetected for months, starkly highlighted existing vulnerabilities even within state-certified companies. This recent breach follows a series of similar security compromises at other prominent South Korean firms, including the top mobile carrier SK Telecom.

Overhauling the Information Security Management System (ISMS)

To counter this troubling trend, the government is planning a comprehensive overhaul of its Information Security Management System (ISMS) certification framework. A pivotal proposal is to make ISMS certification mandatory for all companies operating in critical sectors such as telecommunications and platform services. Currently, both ISMS and ISMS-P (the security system specifically for personal information) certifications are obtained voluntarily by operators.

Stricter Enforcement and Accountability

Furthermore, accountability post-breach will be rigorously enforced. Should a data breach occur, the responsible company will face a thorough post-screening investigation, with the severe consequence of ISMS certification cancellation if the case is deemed grave. The initial ISMS certification process itself will also undergo substantial toughening, incorporating stricter preliminary evaluations and meticulous on-site inspections, among other measures.

These significant reforms will necessitate critical revisions to existing laws to fully implement the proposed system overhaul. The government's proactive stance unequivocally signals its commitment to bolstering digital privacy protections and safeguarding citizens' personal data against the continually evolving landscape of cyber threats.