South Korea Moves to Mandate ISMS Certification for Telecom and Platform Firms After Coupang Breach
Updated (2 articles)
Government mandates ISMS for telecom and platform sectors following massive data leak The inter‑agency meeting on Dec. 6 ordered that the Information Security Management System (ISMS) become compulsory for all telecommunications and online‑platform companies, a direct response to Coupang’s breach that exposed personal data of more than 33 million customers[1]. Regulators cited the breach’s scale and the months‑long undetection as evidence that voluntary certification has failed to protect consumer information[2]. The decision signals a shift toward uniform security standards across critical digital infrastructure.
Certification process to tighten with on‑site inspections and breach‑linked revocations Currently, ISMS and its personal‑information counterpart ISMS‑P are granted only on a voluntary basis; the new rules will require preliminary evaluations and mandatory on‑site audits before certification is awarded[1]. Companies that suffer severe breaches will face post‑screening and may have their certifications revoked, a measure never applied before in South Korea[1]. These safeguards aim to prevent future incidents similar to the Coupang exposure.
Regulator prepares record‑size fine and re‑notification demand The Personal Information Protection Commission (PIPC) announced it could levy a penalty up to 3 % of annual sales, potentially reaching 1.2 trillion won for Coupang, whose 2025 revenue was 41 trillion won[2]. The commission also ordered the e‑commerce giant to re‑notify affected users, criticizing its initial description of the event as a mere “exposure”[2]. The proposed fine would surpass the previous record of 134.8 billion won imposed on SK Telecom for a 23 million‑user breach[2].
Legal overhaul underway to embed stricter data‑security standards Officials indicated that related statutes will be revised to support the certification overhaul and raise industry‑wide security expectations[1]. The move reflects growing public distrust after the Coupang incident and seeks to align South Korea’s data‑protection regime with global best practices[1]. If enacted, the reforms could set a precedent for mandatory security certification in other high‑risk sectors.
Sources (2 articles)
-
[1]
Yonhap: South Korea to Strengthen Information Security Certification After Coupang Breach: details mandatory ISMS rollout, enhanced certification checks, and legal revisions following a breach affecting 33 million customers.
-
[2]
Yonhap: Coupang Faces Potential Record Fine Over 33.7 Million Customer Data Breach: outlines possible 1.2 trillion‑won fine, regulator’s re‑notification demand, and comparison to prior SK Telecom penalty.
Timeline
Aug 2025 – SK Telecom receives a 134.8 billion‑won penalty for a data breach that exposed 23 million users, establishing the previous record fine and a 300 billion‑won ceiling for future penalties under South Korea’s data‑protection regime. [2]
Late Nov 2025 – Coupang publicly acknowledges that personal data of 33.7 million customers was compromised, revealing that the breach remained undetected for months and igniting regulator scrutiny. [2]
Dec 4, 2025 – The Personal Information Protection Commission (PIPC) says it can levy a fine of up to 1.2 trillion won—3 % of Coupang’s 41 trillion‑won annual sales—over the breach; Chairperson Song Kyung‑hee tells parliament, “We will make a strict judgment based on seriousness.” [2]
Dec 6, 2025 – An inter‑agency meeting mandates that the Information Security Management System (ISMS) become compulsory for all telecom and online‑platform firms, tightens initial certification checks, and authorises post‑breach screening with possible revocation of ISMS‑P certification—an action never taken before—while a legal overhaul aims to raise industry‑wide data‑security standards after the Coupang incident. [1]