Virtually All Customer Data Compromised
Concerns Rise Over Potential Secondary Damages
Coupang, the leading e-commerce company in South Korea, has experienced a massive data breach involving more than 30 million records. Concerns among consumers are growing, as there are indications that customer information may have been leaked as far back as six months ago.
According to the retail industry on November 30, Coupang announced the previous afternoon that "approximately 33.7 million customer accounts were confirmed to have been exposed without authorization."
According to Coupang, the exposed information was limited to customer names, email addresses, phone numbers, physical addresses, and some order details. Payment information and credit card numbers were not included.
The company stated, "Based on our investigation so far, we believe that unauthorized access to personal information began on June 24 through overseas servers."
This means that attempts to steal customer information have been ongoing for five months.
Coupang became aware of the incident on November 18 and reported the matter to the Personal Information Protection Commission on November 20 and again the previous day. The Personal Information Protection Commission is currently conducting an investigation. If violations of the Personal Information Protection Act's safety measures are confirmed, strict sanctions will be imposed.
The Ministry of Science and ICT has formed a joint public-private investigation team to analyze the cause of the incident and devise measures to prevent recurrence. The Seoul Metropolitan Police Agency's Cyber Investigation Unit received a formal complaint from Coupang on November 25 and has launched an investigation into the data breach.
Consumers are expressing concerns about secondary damages. In particular, as Coupang revised the estimated scale of the breach by about 7,500 times in just nine days, there are concerns that additional damages may follow. Since it has been confirmed that information theft attempts began in June, there is speculation that data may have been leaked over several months.
On November 20, Coupang initially announced that about 4,500 customer accounts had been affected, but the following day, it updated the figure to 33.7 million accounts.
In its third-quarter earnings report, Coupang revealed that there were 24.7 million active product commerce customers (those with purchase history), meaning the number of affected accounts exceeds this figure. Effectively, almost all customer information has been compromised.
The scale of this data breach at Coupang surpasses that of SK Telecom's personal information leak, which affected about 23.24 million people and resulted in the largest-ever fine (134.8 billion won) imposed by the Personal Information Protection Commission for a privacy violation.
Looking at security incidents at other companies, investigations by authorities have often revealed that the actual scope of damage was greater than initially announced. For example, after a cyber incident at Lotte Card, the company stated in an apology on September 4 that "no customer information leak has been confirmed so far," but two weeks later, it was revealed that not only card numbers but also sensitive information such as CVC numbers had been leaked.
KT has faced allegations of concealing evidence by disposing of servers during the handling of a hacking incident, prompting the police to launch a compulsory investigation this month.
Meanwhile, in addition to this data breach, Coupang has recently been at the center of ongoing social controversies in South Korea. These include labor issues involving delivery drivers and logistics center workers, allegations of external pressure in the investigation of unpaid severance pay by Coupang Fulfillment Services (CFS), and disputes over marketplace commission fees.
At last month's National Assembly audit, CEO Park Daejoon and other Coupang executives appeared as witnesses before five standing committees and faced criticism from both ruling and opposition lawmakers. In addition, the alleged external interference in the investigation, raised during this audit, will now be subject to a special independent counsel investigation.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
