SK Telecom's 73% Profit Plunge & Coupang's Expanding Leak: The High Cost of Data Breaches in South Korea

The financial and reputational aftershocks of data breaches are being felt with unprecedented severity in South Korea, as two corporate titans—SK Telecom and Coupang—grapple with the multi-million dollar consequences of failing to protect customer information. These parallel crises offer a stark, real-world case study for global CISOs and boardrooms on the tangible cost of cybersecurity failures, where the bill extends far beyond immediate incident response to crippling profit losses and escalating regulatory scrutiny.

SK Telecom: A 73% Profit Plunge as a Direct Cost of Failure

The most dramatic illustration of breach impact comes from SK Telecom, South Korea's largest wireless carrier. The company's financial disclosures for 2025 reveal a devastating year-on-year net profit collapse of 73 percent. While market fluctuations play a role, corporate statements and analyst reports directly attribute a significant portion of this plunge to the massive, unplanned expenditures triggered by a major data breach. These costs are multifaceted, creating a perfect storm that eroded the bottom line.

First are the direct financial outlays: forensic investigation by internal and third-party cybersecurity teams, widespread customer notification campaigns as mandated by South Korea's strict Personal Information Protection Act (PIPA), and the provision of credit monitoring and identity theft protection services to millions of affected individuals. Second, and potentially more damaging in the long term, is the catastrophic loss of customer trust, leading to churn and reduced customer lifetime value. Third, the company faces substantial regulatory fines from South Korea's Personal Information Protection Commission (PIPC), which has taken an increasingly aggressive stance against corporations that mishandle data. The combined weight of these factors transformed a data security incident into a defining financial event for the telecom giant.

Coupang's Expanding Breach: Scale and Uncertainty

While SK Telecom deals with the financial aftermath, e-commerce leader Coupang is contending with a breach that continues to grow in scope. Initially reported as a contained incident, the company has now confirmed that personal data belonging to over 165,000 South Korean users has been compromised. This figure represents a significant upward revision, highlighting a common challenge in breach response: the full scale of an incident is often not immediately apparent.

The leaked data is reported to include sensitive personal information, though Coupang has stated that financial data and passwords remained secure. The breach's origin appears to be linked to a vulnerability exploited by threat actors, though a full technical root-cause analysis may still be ongoing. For Coupang, known for its "Rocket Delivery" speed, this incident strikes at the heart of its brand promise of convenience and reliability. The expanding victim count forces the company into a reactive posture of repeated public disclosures and escalates its potential liability under PIPA, which imposes heavier penalties for breaches affecting larger numbers of individuals.

The Regulatory Reckoning in South Korea

These incidents are not occurring in a vacuum. They are unfolding under the watch of one of the world's most stringent data protection regimes. South Korea's PIPA and the enforcement authority of the PIPC set a high bar for corporate data stewardship. The commission has the power to levy fines of up to 3% of a company's global revenue for serious violations. Furthermore, it can order corrective measures, issue public reprimands, and even refer cases for criminal prosecution.

The breaches at SK Telecom and Coupang are certain to be top priorities for the PIPC. The regulatory response will likely involve detailed investigations into the security measures both companies had in place prior to the incidents, their data retention policies, and the timeliness and adequacy of their breach notifications. The outcomes will send a powerful message to the entire Korean market and serve as a benchmark for regulatory expectations. For the global cybersecurity community, South Korea's approach provides a preview of the potential future of data breach penalties in other regions, including under regulations like the GDPR.

Lessons for the Cybersecurity Community

The tandem crises at SK Telecom and Coupang offer critical lessons for security professionals worldwide:

Conclusion: A Watershed Moment for Corporate Security

The events in South Korea represent a watershed moment. They move the conversation about data breaches from abstract risk models and theoretical compliance exercises into the realm of stark financial reality and corporate survival. For SK Telecom, the path to recovery involves not only shoring up its digital defenses but also a long journey to rebuild profitability and shareholder confidence. For Coupang, the challenge is to contain the technical and reputational damage of an expanding incident.

For the rest of the world, the message is clear: in an era of sophisticated cyber threats and powerful regulators, the cost of failing to protect data can now be measured in hundreds of millions of dollars and double-digit percentage points of profit. Investment in cybersecurity is not an expense; it is an investment in the very viability of the modern enterprise.