[Gangnam Perspective] 2025: The Year of Hacking

"Is this the year of hacking?" This was a comment on a news article about the Coupang hack. It's an understandable reaction. From telecom companies and gaming firms to luxury brands and online retailers, the number of breaches this year alone is hard to count. Among them, the revelation that even front door passwords were leaked from Coupang—a service used daily by many—leaves a sense of futility. With over 65% of the population using the platform, more than 34 million personal data records were exposed. Over the past decade, the total number of personal information leaks confirmed in Korea has exceeded 300 million. The saying, "My personal information is no longer mine alone," is no exaggeration.
The proliferation of Artificial Intelligence (AI) is accelerating the evolution of hacking techniques. In the past, only skilled organizations could attempt sophisticated intrusions, but now AI-powered automation tools enable much faster and broader attacks. Large-scale automated phishing and offensive AI that scans for vulnerabilities in Cloud computing environments in real time are just some examples. New forms of attacks emerge every quarter. We are truly living in an era where the battle between offense and defense unfolds by the second.
The problem is that corporate security systems are failing to keep pace. This year’s incidents reveal a common pattern: hackers infiltrated systems for months without detection, or breaches were only discovered after the fact. In the case of Coupang, unauthorized access to an internal employee account continued for five months, yet the alarm system never activated. While attacks have become automated and sophisticated, defenses remain stuck at the level of manual log reviews.
This situation starkly illustrates how lax corporate security awareness is. Hackers are becoming more organized and sophisticated, yet companies still treat security as a mere adjunct to development and operations. In many cases, corporate investment in security doesn't even reach 1% of revenue. With automated attacks and passive defense systems, the gap is bound to widen.
Strong government sanctions are also crucial. President Lee Jae-myung recently emphasized at a Personal Information Protection Commission (PIPC) briefing that companies must recognize, "If you harm the public, you will face severe economic sanctions, and your company could go bankrupt if you make a serious mistake." There are discussions about raising fines for repeated or serious violations from 3% up to 10% of total revenue. With the introduction of class action lawsuits also being considered, corporate accountability is expected to increase.
Robust penalties are certainly necessary. Given that security has long been seen as an 'optional obligation,' there must be mechanisms to ensure companies take it seriously. It is meaningful to restructure incentives so that the cost of preventing incidents outweighs the risks and expenses incurred after a breach.
However, tougher sanctions alone are not enough. Fines cannot replace root cause analysis or fundamental improvements. What companies must change first is their perception of security and their management structures. Security should not be viewed as a 'cost center' but as the foundation of corporate trust and existence. It must be integrated into business processes from the design stage.
The government must also create structural conditions that enable companies to invest continuously in security, beyond just regulation. This includes expanding the workforce and technology ecosystem, updating Cloud computing and AI security certification standards, and strengthening information-sharing systems for preemptive responses. Regulations are only effective when such infrastructure is in place. Currently, each company is left to face attacks and bear responsibility on its own. In this system, no company can establish a truly impenetrable defense.
In the age of AI, personal information is no longer just data. It is directly linked to corporate innovation, consumer trust, and even national cyber sovereignty. Attacks are already organized and automated, and infiltration speeds will only increase. Yet if security remains focused on 'post-incident response,' we will find ourselves asking the same question again next year: "Is this another year of hacking?"
yjjoe@fnnews.com Reporter