Coupang hit with record $409 million fine over massive insider-driven data breach

Check out my latest CSO piece on CISA's latest binding operational directive, which prioritizes a risk-based patching model that prioritizes real-world exploitation, asset exposure, and attacker impact.

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

Each day, Metacurity is read by thousands of cyber leaders, including some of the industry's top CISOs, security architects, practitioners, vendors, analysts, and journalists.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

A South Korean regulator fined the country’s largest e-commerce platform, owned by US-listed Coupang Inc., a record 624.7 billion won ($409 million) for a wide-ranging cyber-intrusion that escalated into a diplomatic tiff with the US.

The Personal Information Protection Commission’s fine for Coupang Corp. — the company’s South Korean entity — is the biggest-ever levied by the country over a personal data breach. It easily surpasses the previous record of a 134.8 billion won penalty imposed on SK Telecom Co. just last year. Under Korean regulations, the regulator can impose fines of up to 3% of annual sales.

“This incident was caused not by a sophisticated hacking method, but by Coupang’s inadequate basic safety management system and negligent management,” said Kyung Hee Song, the chairperson of the regulator. “The company grew rapidly by using large-scale customer data to deliver innovative e-commerce services, but an investigation found that its personal information protection and management systems failed to keep pace.”

Coupang, South Korea’s leading online retailing platform, has been under fire after regulators discovered a former employee improperly accessed personal information from nearly 34 million accounts, or about two-thirds of the country’s population, undetected for months. (Jaehyun Eom and Shinhye Kang / Bloomberg)

Related: PI, Seoul Economic Daily, The Korea Times, Reuters, The Korea Herald, Al Jazeera, Financial Times, The Asia Business Daily, Hürriyet Daily News, The Straits Times, The International News, kursiv media, Wall Street Journal, Yonhap News, South China Morning Post, RFI, France24

The US Cybersecurity and Infrastructure ​Security Agency issued a new binding operational directive (BoD) that prioritizes IT and security operations on the most at-risk assets for patching, the upshot of which could shorten the remediation window to three days for some of the most ‌serious categories of digital vulnerabilities in their networks, a compressed timeline that is due in part to hackers' use of artificial intelligence.

"Defenders cannot afford to take weeks to patch systems that can be autonomously exploited ‌en ⁠masse," CISA Acting Executive Assistant Director for Cybersecurity Chris Butera told reporters. He said the directive was "an initial step to counter the increased capabilities of those emerging AI models."

Under the new directive, there is ​still more time to deal with less severe weaknesses, ​such as those that are not easy for hackers and cybercriminals to automate, or that do not concern publicly exposed digital infrastructure. An appendix to the ⁠order leaves ​two weeks to deal with many ​vulnerabilities and as long as two months for the least serious category of flaw. (Raphael Satter / Reuters)

Related: CISA, CSO, Nextgov/FCW, Wired, The Record, Federal News Network, Nextgov/FCW, CyberScoop, The Cyber Edge, Meritalk, The Cyber Express, SC Media

Denis Obrezko, a suspected Russian hacker, is in US custody after being extradited from Thailand and has ​been charged with facilitating a campaign of cyberattacks carried out by a ‌Russia-aligned group that victimized numerous US companies.

He was arrested in Thailand in November and made his initial appearance in federal court in Boston in connection with a case that US authorities alleged concerned ​a large-scale cyber espionage campaign being carried out by a group known as ​Void Blizzard.

The 36-year-old was charged with conspiring to commit unauthorized access to a ⁠protected computer and is now being held without bond in a case that is ​being prosecuted by the US Department of Justice's National Security Division.

Thailand's Ministry of Foreign Affairs said in a statement the Thai government's decision to extradite Obrezko was in accordance with Thailand's ​domestic law and its obligations under the related treaties on extradition, "while fully respecting the due ​process of law of the defendant." (Nate Raymond / Reuters)

Related: FBI Affidavit, Databreaches.net

OpenAI banned China-linked accounts that used ChatGPT to draft social media influence campaigns targeting US debates over tariffs and AI data centers.

The campaigns don't appear to have been effective, but they show how pro-China actors are testing AI tools to amplify existing political and economic divisions in the US.

OpenAI said it uncovered two operations that used ChatGPT to generate posts, comments and political cartoons about US tech policy.

One campaign, dubbed "Data Center Bandwagon," generated comments and comics claiming AI data centers were driving up electricity prices for American families.

A second operation, "Tech and Tariffs," used ChatGPT to create content and political cartoons criticizing Trump's tariffs and the US push for global tech dominance. (Sam Sabin / Axios)

Related: OpenAI, Bloomberg, Business Insider, Politico, NPR, CyberScoop, The Next Web, Reuters, OpenAI

One of the world's fastest-growing ransomware groups, The Gentlemen, has attracted affiliates by offering them 90% of any ransom payments, helping it become the second most active ransomware operation by victim count.

The group's alleged administrator, who operated under the aliases "zeta88" and "hastalamuerte," has left a trail of digital clues behind. Those clues emerged in part from a leaked internal database that exposed details about the group's infrastructure, affiliates, and management.

By tracing years of activity across cybercrime forums, messaging platforms, and other online services, those clues link those aliases to a Russian-speaking individual believed to have played a central role in building and running the ransomware program.

These findings highlight a recurring theme in cybercrime investigations: even sophisticated criminal operators often leave behind enough personal details over time to expose their identities. In this case, the same operational security lapses that helped build a successful ransomware enterprise may also have provided investigators with a roadmap to its leadership. (Brian Krebs / Krebs on Security)

A wave of AI experts reacted with frustration over the downgrading that Anthropic has placed on Claude Fable 5, accusing the company of gatekeeping to harm potential competitors and muddying the ability of outside researchers to assess and use Fable to its full potential.

In response, the company said it would now make those safeguard notifications visible as well.

When a user touches on sensitive topics like bioweapons and cybersecurity, Fable pops up a notification and then redirects the conversation to an earlier, less capable model.

Fable also degraded the quality of its responses about high-end AI development to be less useful for developers looking to build AI tools that might not have the same safeguards. For these responses, there was no pop-up notification, however. The company cited national security and its own terms of service as reasons for the invisible restrictions.

When a user touches on sensitive topics like bioweapons and cybersecurity, Fable pops up a notification and then redirects the conversation to an earlier, less capable model.

Fable also degraded the quality of its responses about high-end AI development to be less useful for developers looking to build AI tools that might not have the same safeguards. For these responses, there was no pop-up notification, however. The company cited national security and its own terms of service as reasons for the invisible restrictions. (Sam Schechner / Wall Street Journal)

Related: TechCrunch, The Verge, New York Times, Stratechery, International Business Times, Constellation Research, GovTech, Wall Street Journal, Gizmodo, Telegraph, The New Stack, How-To Geek, ZDNET, One Useful Thing, Hacker News, r/ClaudeCode, r/ClaudeAI,  Business Standard, iTnews, The GitHub Blog, Forbes, Fortune, The American Bazaar, Pulse 2.0, CloudZero, The Economic Times, Mashable, MediaNama, Understanding AI, TechRadar, Help Net Security, NBC News

The Canadian government introduced a digital safety bill that would ban social media for children under 16 ‌with exemptions for platforms that meet certain safety standards, months after Australia enacted the world's first social media ban for young people.

The bill also aims to make AI chatbots safer by setting up a digital regulator to establish safety standards, a government official said.

Companies could face penalties of 3% of global revenue or ​up to C$10 million ($7.2 million), whichever is more, for failing to comply.

“Social media platforms and AI chatbots are designed to ​capture attention. They do not support healthy childhood development and have become a source of anxiety, isolation, ⁠depression and a range of other mental health challenges for many young Canadians," said Marc Miller, minister of Canadian identity and culture.

In ​December, Australia became the world’s first country to ban social media for children under 16. A month after its law was introduced, ​social media companies collectively deactivated the accounts of nearly 5 million teenagers.

Canadian government officials in a technical briefing said it could take a year for the ‌bill to ⁠pass and 18 months to set up the digital regulator once it does. (Maria Cheng / Reuters)

Related: Government of Canada, CBC News, Benzinga, Politico, Government of Canada, Wall Street Journal, SiliconANGLE, New York Times, Agence France-Presse, Engadget, NewsMax.com, Al Jazeera, Global News, BBC, Associated Press, Michael Geist, MobileSyrup, iPhone in Canada, BetaKit, Globe and Mail, The Logic, Bloomberg

Anthropic CEO Dario Amodei backed a testing regime for frontier AI models that would allow governments to block or deter deployment if an independent third-party auditor deems it too risky for public release.

Amodei’s comments, published in a blog post, represent the most aggressive regulatory framework backed by a major AI CEO to date. The proposal follows an executive order on AI oversight signed by President Donald Trump on June 2 that gives the intelligence community an enhanced role in model testing.

Comparing AI oversight to the Federal Aviation Authority’s approach to aircraft safety, Amodei said, “Frontier AI models, like airplanes, should be required to go through technical testing and auditing, and their release should be blocked or reversed as a threat to public safety if they do not meet high standards of safety.”

According to Amodei, private organizations should be empowered to audit models across four main risk areas: “cybersecurity, biological weapons, loss of control of AI systems and automated R&D,” referring to AI models’ potential ability to improve themselves autonomously.

Trump’s AI executive order set out a government-led voluntary testing protocol under which AI companies are asked to submit. (Owen Dahlkamp / Politico)

Related: Dario Amodei, r/Anthropic, Bloomberg, Silicon Angle, Crypto Briefing, Business Standard, BeInCrypto

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

The FBI and Justice Department seized 13 websites allegedly used by Chinese intelligence operatives to target current and former US officials and military personnel with access to classified government information.

The DOJ said the domains were designed to look like legitimate consulting firms and were used to advertise vague, well-paid consulting roles aimed at security clearance holders. The campaign, which allegedly began in November 2023, sought to entice Americans into producing research reports or sharing insider information on topics of interest to the Chinese government, according to court documents.

The seized domains included sites associated with firm names like Centrik Global Consulting, Rightinfo Consulting, Finnacle-Vesper Consulting, CYDF Consulting, Pulse Wave Global, Catalyst Global Solutions, Horizzen, GeoIndopacific, SafeSec Group, and others.

The campaign relied on familiar job-market platforms and freelance sites to advertise positions such as “Senior Analyst” and “International Affairs Consultant.”

The Justice Department said the operators used aliases, fake personas, stolen identities and artificial intelligence-generated photographs to make the companies appear credible. The alleged scheme also involved encrypted messaging apps, including Telegram, overseas payments, cryptocurrency, and online payment accounts registered under false names, according to an affidavit filed in support of the seizure warrants. (David DiMolfetta / NextGov/FCW)

Related: Justice Department, Washington Times

Hopes are fading for a breakthrough in Congress to salvage a warrantless surveillance law, Section 702 of the Foreign Intelligence Surveillance Act, or FISA, before its expiration on Friday, after Donald Trump dug in on naming a close ally, Bill Pulte, who has alienated members of both parties to a top intelligence post.

Section 702 is the legal underpinning for what is widely considered to be the most powerful surveillance tool the federal government has at its disposal, credited with generating intelligence that thwarts terror plots, defangs foreign hackers, curtails drug trafficking and gleans key insights for policymakers about chief rivals like China and Russia.

Trump administration officials and some Republican lawmakers have warned that letting Section 702 lapse would risk grave security threats to the United States, especially as the war in Iran grinds on.

But while a bipartisan coalition had been pushing toward a deal to extend it, Mr. Trump injected fresh chaos into the debate last week by naming Bill Pulte, his top housing official and a confidant without any national security experience, as acting director of national intelligence.

Republican congressional leaders have toiled in recent days to persuade the president to drop Mr. Pulte — or at least to name a permanent replacement for the top intelligence post who could be quickly confirmed — arguing that they could not muster the votes to renew Section 702 otherwise. (Dustin Volz and Robert Jimison / New York Times)

Related: Politico, CNBC, NBC News, The Hill, Reuters, Politico

Researchers at Reversing Labs report that hackers are exploiting TikTok and Instagram Reels to distribute Vidar infostealer.

These campaigns are different from standard phishing emails containing infected links, as they manipulate social media platforms to make malicious content go viral.

This trick relies on tutorial-style videos that promise free access to paid applications like Spotify Premium or Microsoft Word. Scammers have ensured the clips look professional, using clear graphics and automated voiceovers to establish authority.

In one identified technique, scammers create accounts with usernames like windows.tips, using a blue and white crown logo that mimics the official Windows icon. The videos instruct viewers to open PowerShell on their Windows computers and type in a specific command: iex irm.

This deceptive instruction tells the OS to quietly connect to a remote server to fetch and execute a malicious payload. For example, users are told to direct the tool to a domain called msget.run/spotify, and since the video appears safe, they run the code without checking what’s being downloaded.

The second strategy targets user curiosity through casual clips. Scammers post videos showing off premium app features over trending background music and encourage viewers to comment with words like ok to learn the secret.

Once a user replies, the hacker sends a direct message directing them to fake download sites like d4ug.site, which claims to unlock premium games and AI tools but actually redirects victims to dead-end surveys or malicious links. (Deeba Ahmed / HackRead)

Related: Reversing Labs, SC Media, Infosecurity Magazine

Researchers at Black Lotus Labs at Lumen say the JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has significantly expanded its targeting scope and reconnaissance efforts.

JDY maintains a strong focus on the United States, where many of its compromised devices are located and where it heavily targets military and associated networks.

The security firm notes that JDY has grown from roughly 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today.

While the numbers seem low, it's important to note that JDY isn't an exploitation framework or a DDoS botnet that requires large swarms to accumulate firepower, but is instead a distributed scanning and fingerprinting network that helps its operators locate targets vulnerable to newly disclosed flaws.

The JDY botnet is designed to conduct service discovery, service banner grabbing, TLS certificate collection, protocol fingerprinting, and flaw-focused reconnaissance.

Among the compromised devices are those from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, for MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. (Bill Toulas / Bleeping Computer)

Related: Lumen, The Register

Researchers at SafeDep report that the Miasma credential-stealing attack framework, which has recently targeted open-source ecosystems through supply-chain attacks, was briefly open-sourced on GitHub.

Miasma appears to be an evolution of the earlier Shai-Hulud worm, which was previously leaked on GitHub and shares many of the same features, techniques, and even code.

The malware infects a developer machine, steals the build environment and cloud credentials, and then uses those to compromise legitimate repositories and packages, publishing trojanized versions to infect downstream developers and repeat the cycle.

This autonomous, worm-like self-propagation mechanism can quickly expand its reach, potentially turning a single breach into a widespread supply chain attack.

The malware has previously been linked to high-profile attacks against Red Hat npm packages and, more recently, 73 Microsoft repositories on GitHub.

Software developers are advised to pin project dependencies, introduce multi-day delays before adopting newly released package updates, and validate new builds in isolated test environments. (Bill Toulas / Bleeping Computer)

Related: SafeDep, The Register

Jamaica's Health and Wellness Minister Dr. Christopher Tufton confirmed that a hacker group contacted the National Health Fund (NHF) claiming to be in possession of confidential information belonging to some of the agency’s clients, as investigations into a cyber incident affecting the organization continue.

Tufton said the NHF had received communication from individuals claiming responsibility for the breach, but stressed that the authenticity of the alleged stolen data has not yet been verified.

“There has been some communication from some deviant around this breach,” Tufton told journalists. “The NHF has confirmed receipt of a threat from a hacker group claiming to have access to some of the data. It's not yet confirmed. Even though they have indicated some of the data that they say they have, it's not yet confirmed.”

According to the minister, the information allegedly accessed relates primarily to medication records and details regarding beneficiaries' use of prescription drugs through the NHF.

“It's confidential data. We don't reveal our history of medication administration, and we do get attacks on a daily basis, just as the banks do and so on,” Tufton said.

He noted that enough evidence had emerged from the incident to require formal notification to the Office of the Information Commissioner (OIC), in keeping with Jamaica's data protection requirements. (Joanne Clark / CNW)

Related: Jamaica Observer, Jamaica Gleaner, Jamaica Star

A Filipino hacktivist group identifying as “Nullsec Philippines” claimed responsibility for the purported defacing of the country's Senate website with the words "Transparency is Not Optional."

“The Filipino people entrusted you with power, responsibility, and the duty to serve the nation—not personal interests, political dynasties, or corrupt networks,” Nullsec stressed in a social media post.

In a statement, the Senate Electronic Data Processing Management Information System (EDP-MIS) confirmed the incident and said security protocols have been implemented to contain the issue, initiate an investigation, and prevent similar incidents. (Jason Sigales / Inquirer.net)

Related: Sun Star Daveo News on Facebook, Rappler, Philstar, The Manila Times, Manila Shaker, The Filipino Times

The ShinyHunters criminal group has claimed credit for accessing a "significant amount" of personal student data held by the University of Nottingham.

The university said it was believed the group accessed the data for current students and alums - including financial information - from its record system.

In an email sent to students, chief governance and risk officer Jason Carter said those behind the major cyber-attack, who had "previously targeted a number of other organizations", were likely behind the breach.

In a statement, the university apologized to those affected for "any anxiety" caused.

It is understood that the university identified the unauthorized activity on its Campus Solutions system.

All affected students and alums have since been contacted, a university spokesperson said. (Will Jefford / BBC News)

Related: University of Nottingham, Bleeping Computer, Security Week, Intelligent CISO, The Register, The Telegraph

Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.

PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration.

Widespread data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances have taken place. These customers were receiving extortion demands that were signed by the ShinyHunters extortion gang.

The threat actor confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from 300 instances across more than 100 organizations.

ShinyHunters says they are using a "gadget chain" of old and zero-day vulnerabilities to conduct the attacks. However, they state that their attack is not working on all systems and believe that exploitation success may depend on how an instance is configured.

According to the threat actor, most of the organizations impacted by these attacks are in the education sector, with many previously extorted by the threat actor.

They claim their initial goal was to breach an FBI portal running PeopleSoft to "publish a statement and set the record straight on some misinformation that has been spreading." However, they said their attack was not successful, and they were unable to gain access to the instance.

The threat actor told BleepingComputer that Nottingham University is a victim of these attacks and that its data has already been published on the ShinyHunters data leak site. The University also released a statement, acknowledging that it suffered a cybersecurity incident. (Lawrence Abrams / Bleeping Computer)

Related: TechCrunch, Crypto Briefing, SC Media

Senate Intelligence Committee Vice Chairman Mark Warner (D-VA) introduced legislation requiring the Cybersecurity and Infrastructure Security Agency to update cybersecurity plans for each of the nation’s 16 critical infrastructure sectors, citing concerns that fast-evolving artificial intelligence tools will accelerate threats to essential services.

The Combat Emerging Threats to Critical Infrastructure Act, first shared with Nextgov/FCW, would direct CISA to work with federal sector risk management agencies to update sector-specific plans within one year of enactment. It would also require CISA to reassess those plans every two years, issue revised versions, and send copies to Congress after completion.

“As AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment,” Warner said in a prepared statement. “It’s critical that government works closely with industry, regulators and cybersecurity experts to develop and regularly update the plans we need to protect our critical infrastructure from increasingly sophisticated malicious actors, including those enabled by AI.”

The sector plans serve as the government’s basic playbook for managing cyber and physical risks across major parts of the economy. (David DiMolfetta / NextGov/FCW)

Related: Senator Warner, Industrial Cyber, Federal News Network

Rep. Don Bacon (R-NE), a frequent critic of Russian leader Vladimir Putin and Moscow’s war in Ukraine, says his Signal messaging account was recently hacked by Russians.

The hawkish Nebraska lawmaker said that Russian government-linked operatives compromised his account on the encrypted messaging app about “four to five months” ago, and that both the FBI and IT specialists in the House are investigating the activity.

Bacon said he was not concerned that Moscow had siphoned any classified information from his account because he doesn’t use it to share or store sensitive information. He recounted that the hackers had masqueraded as a close acquaintance to gain access to his Signal account. The tactics he described appear consistent with spear-phishing, in which hackers lure victims into downloading malware or otherwise unwittingly granting access to their accounts. (John Sakellariadis and Maggie Miller / Politico)

Related: Washington Examiner

AI security company Cyera announced it had raised $600 million in a recent funding round.

Evolution Equity Partners led the round with participation from Cyberstarts and Temasek, in addition to all existing investors, including Accel, AT&T Ventures, Blackstone, Coatue, Spark Capital, among others. (Niko Gallogly / New York Times)

Related:  Business Wire, CTech, Reuters

Pi Security, a San Francisco, CA-based agentic AI security startup, raised $35 million in a recent venture capital funding round.

Brightmind Partners and Third Point Ventures led the round, with participation from security leaders including CrowdStrike CEO George Kurtz and Armis founders Yevgeny Dibrov and Nadir Izrael. (Thomas Brewster / Forbes)

Related: FinSMEs, CTech

Best Thing of the Day: On the Bright Side, Security Is at the Forefront of AI?

Administration officials, including National Cyber Director Sean Cairncross, have told the Center for AI Standards and Innovation to halt publication of its model assessments while an executive order President Trump signed last week is implemented and the administration works with Anthropic and OpenAI to control who has access to their best products.

Worst Thing of the Day: Just Scrolled Around and Found Nearly a Million Photo IDs

Security researcher Sammy Azdoufal discovered over 985,000 photo IDs sitting on the public internet for any half-decent hacker to steal.

Closing Thought