Government Mandates ISMS for Telecom and Platform Companies The inter‑agency meeting on Dec. 6 ordered that the Information Security Management System (ISMS) become compulsory for all telecom and online‑platform firms, shifting from its previous voluntary status[1]. Initial certification will now require preliminary evaluations and on‑site inspections, and post‑breach reviews may lead to revocation of the certification[1]. This overhaul is paired with pending legal revisions aimed at raising industry‑wide data‑security standards[1].

Coupang Breach Exposes Over 33 Million Customer Records Coupang disclosed that personal data of 33.7 million customers was compromised and remained undetected for months, fueling public distrust[1][2]. The regulator, the Personal Information Protection Commission (PIPC), demanded a re‑notification to users after the company initially described the incident as an “exposure”[2]. The scale of the breach has triggered scrutiny of the company’s ISMS‑P certification, which has never been cancelled before[2].

Potential Record Fine Could Reach 1.2 Trillion Won Based on Coupang’s 41 trillion‑won annual sales, the PIPC can impose a penalty of up to 3 % of sales, potentially amounting to 1.2 trillion won if all revenue is considered[2]. The regulator’s chairperson emphasized a “strict judgment” reflecting the breach’s seriousness[2]. For context, the previous highest fine was 134.8 billion won levied on SK Telecom for a breach affecting 23 million users[2].

Regulatory Actions May Include Certification Revocation The breach raises the prospect of revoking Coupang’s ISMS‑P certification, a move unprecedented in South Korea’s data‑security regime[2]. Authorities will conduct thorough post‑screening and may cancel certifications for firms deemed to have severe breaches[1]. The combined push for mandatory ISMS compliance and aggressive penalties signals a tougher enforcement landscape for digital‑economy players[1][2].