9-minute read | 1,900 words
What to know this week
South Korean company Coupang experiences a major data leak.
Over the weekend, South Korean e-commerce company Coupang suffered a major data breach exposing over 33 million customers.
India mandates smartphone makers pre-install state-owned security app.
On Tuesday, India released a new order requiring smartphone makers to pre-install the state-owned application, Sanchar Saathi.
This week's full stories
South Korea suffers massive data leak.
THE NEWS
Over the weekend, reports emerged that South Korean e-commerce giant Coupang suffered a major data breach. Since this breach began on June 24, 2025, to now, over 33 million customers have had their personal data exposed, making the breach the worst in the country’s history in over a decade. According to the company, the breach exposed customer names, email addresses, phone numbers, shipping addresses, and order histories. However, payment details or login credentials were not exposed.
When discussing the breach, South Korea’s Science Minister Bae Kyung-hoon stated that the attackers had targeted authentication vulnerabilities in the company’s servers and that the nation’s authorities were investigating whether the company had violated any rules regarding protecting personal information.
The broadcaster JTBC reported that after an internal investigation, the company suspects a former Chinese employee of misusing authentication tasks. Coupang’s Chief Information Security Officer Brett Matthes expanded further on the breach, stating that the perpetrator obtained a private encryption key, which allowed the attacker to forge a token to impersonate a customer. Matthes stated:
“We do believe that this person, if it is the person, had a privileged role within the organisation that would have given him access to the key that has been taken.”
J.P. Morgan analysts also commented on the breach, stating:
“We expect potential customer losses to be limited due to CPNG’s unrivaled market positioning and Korean customers being seemingly less sensitive to data breach issues.”
Currently, the police and the company have not provided any information on the potential suspects.
THE KNOWLEDGE
This is not the only attack that targeted South Korea in November. Alongside this breach, reports emerged that potentially a North Korean team targeted cryptocurrency exchange Upbit, which is the country’s largest cryptocurrency exchange platform. With this attack, the group was able to withdraw 44.5 billion won worth of cryptocurrency. The attack is being attributed to the Lazarus Group, the North Korean advanced persistent threat linked to dozens of high-profile global institutions.
Though these attacks are unrelated to each other, they are representative of why the South Korean government has begun to scale up its cybersecurity requirements increasingly. Shortly after the Coupang breach, South Korean President Lee Jae Myung announced the need to increase penalties related to corporate negligence. Currently, South Korean law stipulates that companies that fail to implement adequate data protection measures could be fined up to 3% of their revenue. As it stands, this law could result in an over one trillion won fine for Coupang.
However, in October 2025, South Korea implemented a new set of cybersecurity measures to prevent both data leaks and minimize hacking efforts. These updated laws came after the company experienced a series of major breaches in both telecommunications and financial firms. When releasing this initial “immediate action roadmap,” the government stated that it would also release a long-term national security strategy before the end of 2025.
Science Minister Bae Kyung-hoon stated:
“Relevant ministries will closely monitor the implementation of these measures to ensure their effectiveness.”
Under this new plan, South Korean authorities will be tasked with conducting large-scale inspections of about 1,600 critical IT systems in public infrastructure, government networks, financial institutions, and major telecommunication companies. Additionally, firms will now be required to publish detailed user protection manuals. Lastly, the government also detailed plans to use artificial intelligence forensic systems to shorten investigation analysis timelines.
Outside of these proposed measures, the government also announced it is considering creating a new fund to compensate victims and strengthen data protection efforts. This funding source for this new program will come from penalties imposed by data breaches.
THE IMPACT
While Coupang’s breach details are still emerging, this incident will likely accelerate the nation’s efforts to further harden cybersecurity standards. Given that the administration aims to release its long-term national security strategy before the end of 2025, this breach will give officials a stronger mandate to raise regulatory requirements, increase penalties, and expand government oversight, especially for larger companies and those tied to critical infrastructure.
For companies, the possibility of fines reaching trillions of won could increase both the urgency to improve security efforts and better monitor for ongoing attacks. As Seoul prepares to release its new strategy, security leaders should monitor for updates and understand the new requirements that the government aims to impose on various business sectors. By effectively preparing for these requirements, companies can reduce the risk of major financial penalties and lessen government scrutiny.
India mandates new smartphone security app.
THE NEWS
On Monday, India mandated that all new smartphones must come pre-loaded with Sanchar Saathi, a state-owned cybersecurity application. With this new order, smartphone makers will have ninety days to comply with this requirement and require manufacturers to “make an endeavour” to add the app to unsold devices that are no longer in manufacturing. Further, the order states that the state-owned application’s “functionalities cannot be disabled or restricted.” The Indian government stated that this new application was necessary to better help its citizens verify the authenticity of a handset and to report any misuse to telecommunication companies.
Alongside being unable to control the application’s functionality, the service will also be able to make and manage phone calls, send messages, access the phone’s camera, and access stored data, including message and call logs, photos, and files.
India’s Minister of Communications Jyotiradtiya Scindia did clarify that mobile phone users will have the option to delete the application. In a statement, Scindia wrote:
“This is a completely voluntary and democratic system - users may choose to activate the app and avail its benefits, or if they do not wish to, they can easily delete it from their phone at any time.”
All impacted companies have been asked to give the government compliance reports regarding the order within 120 days.
THE KNOWLEDGE
Since revealing the order, both privacy advocates and phone makers have already begun to push back. Apple released a statement signaling that it does not intend to comply but also does not plan to formally challenge the order or publicly criticize it.
Privacy experts expressed their concern that the application’s access represents a significant privacy concern for the nation’s citizens. The Internet Freedom Foundation stated:
“In plain terms, this converts every smartphone sold in India into a vessel for state-mandated software that the user cannot meaningfully refuse, control, or remove.”
Technology analyst Prasanto K Roy expressed concerns about the application as well. Roy stated:
“We can’t see exactly what it’s doing, but we can see it’s asking for a great deal of permissions - potential access to just about everything from flashlight to camera. This is itself worrying. Most companies prohibit installation of any government or third-party app before the sale of a smartphone, barring in China and Russia.”
For context, the application was released in January 2025 and allows users to check a device’s International Mobile Equipment Identity (IMEI), report lost or stolen phones, and notify telecommunication companies of suspected fraudulent communications. The app was created in response to the growing number of mobile devices with duplicate or spoofed IMEI numbers. The nation’s Department of Telecommunications emphasized that these spoofed IMEI numbers posed “serious endangerment” to telecommunication cybersecurity. To illustrate this problem, a 2020 report emerged that found that over 13,500 Vivo smartphones had the same IMEI number. At the time, Meerut SP Akhilesh N Singh stated that this security issue is used by criminals. These spoofed numbers allow criminals to mask stolen devices and bypass blacklists.
THE IMPACT
Currently, it is unclear whether or not this order will stand legally or if it will be challenged. Though Apple has already signaled its intention not to challenge the order, the company has stated that it has no intention of complying with it. If other phone manufacturers follow suit, this could result in legal battles, fines, and/or service offerings within the nation.
For India’s citizens, the forced installation raises significant privacy concerns, despite its intended security benefits. The application requests extensive access, which is notable given its state-owned status and ability to access a device’s stored data. People impacted by this rule should understand the application’s functions and be able to decide whether to delete it after purchase
This Week's Caveat Podcast: Jumping into a time machine.
Dave Bittner and Ben Yelin break down how a new California law could impact web browsers nationwide and discuss how a Supreme Court case will impact copyright liability and ISP providers. Dave speaks with Daniel Woods, the Principal Security Researcher at Coalition, to discuss the rise of cyber insurance exclusions and the consequences of this emerging trend.
OTHER NOTEWORTHY STORIES
Apple Ads and Maps potentially subject to stricter EU rules.
What: European Union (EU) antitrust regulators set to examine Apple Ads and Maps.
Why: On Friday, EU regulators announced their intent to examine Apple’s Ads and Maps services to determine if they should be subject to greater requirements after both services hit key criteria. This development occurred after the European Commission stated that these two Apple services met the regional body’s requirements to be considered “gatekeepers” under the Digital Markets Act.
With this development, the Commission now has forty-five working days to decide whether to give this designation or not. If the Commission does give Apple this designation, the company will have six months to comply with these new requirements.
NOV 28, 2025 | Source: Reuters
Apple trying to stop Indian antitrust case
What: Apple is looking to block antitrust proceedings in India.
Why: On Monday, Apple began to challenge an antitrust lawsuit filed by India by challenging the law, which allows the country’s imposed penalties to be calculated based on a company’s global turnover. Apple issued this challenge in November 2025, claiming that the legislation could impose disproportionate fines for cases that had occurred only within India.
Judges at the Delhi High Court have requested the Competition Commission of India to file a response to Apple’s arguments.
DEC 1 2025 | Source: Reuters
Trump administration plans to take stake in chip startup.
What: The Trump administration is set to invest in xLight, an advanced semiconductor manufacturing startup.
Why: On Tuesday, the Trump administration announced its plans to take a $150 million stake in xLight. The startup aims to create free-electron lasers to improve lithography, a process in chip development that uses light to create print patterns on silicon components.
The Commerce Department stated that the government has signed a non-binding preliminary letter of intent to provide federal incentives to xLight through the CHIPS and Science Act in return for equity.
Commerce Secretary Howard Lutnik released a statement emphasizing:
“xLight’s FEL platform represents the kind of breakthrough innovation that restores American leadership, secures our supply chains, and guarantees that the next generation of semiconductors is born in the United States. This is the CHIPS program at its best.”
DEC 2, 2025 | Source: The Hill