Daylila

Information Technology · Friday, 12 June 2026

01 · Briefing · what happened

South Korea fines Coupang $400M for a breach that exposed two-thirds of the country

Information Technology 4 min 80 sources

Seoul issued its largest-ever data-breach penalty against the US-based retail giant after a former employee walked off with 34 million people's records. The same day, an unpatched Oracle flaw was used to break into 100+ organisations — most of them universities.

Key takeaways

  • South Korea fined Coupang over $400 million — its largest ever — for a breach where an insider took the data of 34 million people, putting the cost on the company that held the data, not the thief.
  • An unpatched Oracle PeopleSoft flaw let attackers break into 100+ organisations, most of them US universities; there's no patch yet, only mitigations to apply now.
  • The EU's ban on Chinese solar inverters and the breaches share one worry: the danger is rarely the locked front door — it's something trusted that's already inside, or can reach in from afar.

South Korea handed retail giant Coupang a record 624 billion won — over $400 million — on Thursday, the largest data-breach fine the country has ever issued [1]. The penalty follows a breach disclosed in December: a former Coupang employee obtained the names, email and shipping addresses, phone numbers, and order histories of more than 34 million customers — about two-thirds of South Korea’s population [1].

Coupang is headquartered in the US but huge in South Korea, often called the “Amazon of Asia.” It says it will challenge the regulator’s decision [1].

What makes this stand out is not the size of the theft but who is paying for it. The thief was an insider with legitimate access — no clever exploit, no broken lock. Yet the fine lands on Coupang, the company that held the data, not on the person who took it. That is the point. South Korea’s Personal Information Protection Commission, the agency that enforces the country’s privacy law, issued the maximum penalty allowed [1].

This is rare. US companies almost never face a financial hit of this size for losing customer data — the laws and enforcement powers mostly aren’t there [1]. The fine is so unusual against an American firm that some South Korean lawmakers say US representatives leaned on Seoul to drop it, tying the case to trade relations between the two countries [1]. Coupang denies wrongdoing and is fighting on.

The angle for anyone who holds customer data: a regulator that fines the holder — not just the hacker — changes the math on every “we’ll secure it later” decision. When losing data costs nothing, protecting it is an expense. When it costs $400 million, it becomes a budget line.

The same week, a flaw nobody had patched

The day before the Coupang fine, a cybercrime group called ShinyHunters claimed it had broken into more than 100 organisations through a single hole in Oracle’s PeopleSoft software — the system big companies use to run payroll and HR [6]. Mandiant, Google’s threat-investigation unit, confirmed it had warned roughly 100 organisations, most of them in the United States, and about two-thirds in higher education [6].

Oracle published a security advisory on Thursday [6]. The bug is a zero-day — meaning attackers found and used it before Oracle had any time to fix it [6]. Worse, Oracle said the flaw can be exploited over the internet without a password [6]. At the time of writing, there was no patch — only “mitigations” customers are told to apply themselves [6].

Some organisations blocked the attack in time. Others didn’t, and their stolen data ended up posted on ShinyHunters’ leak site [6].

Set the two stories side by side. Coupang lost data through a person it trusted on the inside. The PeopleSoft victims lost data through software they trusted from the outside. In both cases, the weak point wasn’t the locked front door — it was something already inside the wall. If you run PeopleSoft, this is a drop-everything week: apply Oracle’s mitigations now, because there is no patch to wait for [6].

Europe pulls a similar thread on hardware

The same worry — trusting something that can quietly reach in from far away — drove a separate move in Brussels. The EU banned public funding for Chinese-made solar inverters, the boxes that convert solar power into electricity the grid can use [15]. Officials fear that because these inverters receive remote software updates, a “high-risk” supplier could one day use that channel to disrupt or shut down parts of Europe’s grid [15].

The catch: Chinese makers, led by Huawei and Sungrow, supplied about 70% of Europe’s inverters in recent years [15]. The ban could touch more than a fifth of new solar capacity — at least 14 gigawatts — and push developers toward pricier alternatives, slowing the climate rollout the EU is racing to finish [15].

It’s the Coupang lesson in hardware form: the question isn’t whether the device works today, but who can reach it tomorrow, and what you’d lose if they did.

Quietly, in India, an AI that answers your phone

Away from the security headlines, a Bengaluru startup raised $30 million to solve a small, daily misery. Equal AI built an assistant that answers your phone calls for you — it picks up, asks who’s calling and why, and shows you the reason before you decide to engage [44].

India is flooded with calls: spam, scams, delivery drivers, banks. Apps like Truecaller already tell you who is calling, but Equal AI’s bet is that the name isn’t enough — you want to know why [44]. The dialer offers quick replies like “Leave the delivery near the door,” reads them back to the caller, and saves a transcript [44]. Since launching last year it says it has passed a million monthly users, with backers including PhonePe’s founder and an Airtel family office [44].

The Series B is small next to the week’s mega-deals, but it’s a clean example of AI doing something narrow and genuinely useful — screening the noise so a person doesn’t have to. Worth watching for anyone building consumer tools: the win here isn’t a smarter model, it’s a boring chore removed.

02 · Lesson · why it matters

When losing your data costs the company nothing, it won't guard it

The danger isn't that companies don't care about your data. It's that, until a fine lands on them, they have no reason to.

A thief who didn’t break in

Start with the strangest fact in today’s news. A former Coupang employee walked off with the personal records of 34 million people — two-thirds of South Korea. There was no clever hack, no broken lock. Just someone on the inside with legitimate access.

And the $400 million fine landed on Coupang. Not the thief. The company that held the data.

That feels backwards at first. Punish the one who took it, surely? But look closer and it’s exactly right — and it points at a pattern that runs through far more than data breaches.

Who pays decides how carefully it’s held

Here’s the quiet problem with your data. The company that collects it gets the benefit — it can ship to you, market to you, learn from you. But if that data leaks, the cost mostly lands somewhere else. On you: the spam, the scam calls, the stolen identity. On strangers you’ll never meet.

When the people who enjoy the benefit don’t pay the cost, something predictable happens. They under-spend on the thing that protects you. Not because they’re villains — because protection is an expense, and the expense buys them very little. Securing data they can lose for free is money spent guarding against someone else’s pain.

Economists have a dry name for a cost that lands on people who didn’t choose it: an externality. Pollution is the classic one — a factory makes a profit, the smoke lands on the town downwind. A data breach is the same shape. Coupang ran the business; 34 million strangers breathe the smoke.

What a fine actually does

So what is South Korea’s regulator really doing with that $400 million? It isn’t getting anyone’s data back — that’s gone. It’s moving the cost.

Before the fine, losing your records cost Coupang roughly nothing. After it, losing your records costs $400 million. That single number rewrites every “we’ll secure it later” decision the company will ever make. Suddenly the boring spending — the access controls, the monitoring of what employees can download — stops being an expense that protects strangers and becomes one that protects the budget.

That’s the whole mechanism. A fine doesn’t make a company moral. It makes carelessness expensive, so that the careful choice and the cheap choice finally point the same way. South Korea moved the cost back onto the holder. Most places — including the US, where Coupang is headquartered — have no law to do it, which is exactly why a fine this size against an American firm is rare enough to make headlines.

The same shape, everywhere this week

Once you see it, the pattern is in the other stories too.

The Oracle PeopleSoft flaw broke into a hundred organisations through software they trusted. Oracle wrote the code; the universities ran it; the students whose records leaked had no say in either decision. Europe’s worry about Chinese solar inverters is the same fear pointed at hardware — a device you depend on, reachable by someone far away, where the cost of misplaced trust would land on a whole grid, not on the people who chose the cheap part.

In every case the weak point isn’t the locked front door. It’s something already trusted — an insider, a vendor’s code, a box on the wall — held by someone who wouldn’t pay much if it failed.

You’re already inside this, and you can’t see most of it

Here’s the part that should make you hold your conclusions loosely.

You did not choose to be in Coupang’s database in the way you choose a meal. You ordered something, and your name, address, and phone number went into a system you’ll never inspect, guarded — or not — by people you’ll never meet, under spending decisions you’ll never see. Multiply that by every app, every shop, every service you’ve ever signed up for. You are sitting, right now, inside hundreds of these quiet bets, and you know the contents of almost none of them.

That’s the humbling thing. It’s tempting to read a breach story and think they should have been more careful. But “they” is everywhere, and you are downstream of all of it, and so is the person next to you. The data of two-thirds of a country leaked from one company most of those people never thought about. The fix isn’t to trust harder or to panic. It’s to notice the shape: a benefit on one side, a cost on the other, and a gap between them that someone — a regulator, a law, a fine — has to close, because the people enjoying the benefit rarely close it on their own.

The next time a company asks for one more piece of you, that’s the real question underneath. Not do they seem trustworthy. But who pays if they’re wrong — and the unsettling answer, more often than not, is you.

03 · Lab · your turn

Who Pays For The Breach

Rehearse how a company's spending on data security flips the moment a fine moves the cost of a breach from strangers onto the company itself.

More from Information Technology

The US ordered Anthropic to kill its two most powerful AI models — overnight Canada moves to ban social media for under-16s, and the fix means checking everyone's age Apple won't ship its new Siri in Europe, and blames the EU's open-access rules

Across the beats

Hundreds of trusted software packages were quietly hijacked — the name stayed the same, the recipe didn't An investor wants the studio behind Elden Ring to "maximise earnings" — and the dev says that's the threat The Chiefs gave Mahomes a half-billion dollars — and locked themselves in