Non-members Also Exposed Through Family and Acquaintance Delivery Addresses
Actual Number of Victims Likely Higher
Coupang Takes No Separate Action for Non-members
Personal Information Protection Commission: "Coupang Must Notify Those Affec
The Personal Information Protection Commission has decided that Coupang must notify not only its members but also individuals listed in delivery address records about the data breach, drawing attention to the scope of personal information leaks involving non-members. The delivery address list contains information about recipients designated by Coupang members when sending products, and it appears that this information was compromised along with other personal data during the large-scale leak.
Coupang has taken measures such as sending notification messages to the 33.7 million members whose personal information was leaked, but has not taken any separate actions regarding non-members. Concerns are growing that the impact could be even greater depending on the extent of the delivery information leak.
On December 4, the Personal Information Protection Commission stated, "Currently, Coupang has only notified members about the breach," and added, "The company must also notify individuals included in delivery address records as soon as they can be identified." The Commission, during a plenary session the previous day, ordered that "Coupang must notify individuals whose information was leaked and who are included in delivery address records, within the scope in which they can be identified." The Commission also emphasized that any additional leaks must be reported and notified immediately.
According to the investigation, no notifications have been sent to people included in delivery address records who are not Coupang members. Typically, when purchasing goods from Coupang, users can select a delivery address during the order and payment process. It is common for members to register and select addresses such as their home or office, or to register non-member family members or acquaintances as delivery addresses.
One Coupang user expressed concern, saying, "My parents are elderly and need to purchase medicine regularly, so I registered their home as a delivery address and send them medicine or health supplements. In addition to my parents, I also occasionally send holiday gifts to relatives living in other regions, so doesn't this mean all their information might have been leaked as well?"
Although the Commission demanded the previous day that Coupang notify not only members but also individuals included in delivery address records whose information was leaked, the company has not yet taken prompt action. Coupang stores multiple delivery addresses registered by users as a set, requiring the entry of names, addresses, phone numbers, and even shared entrance passwords. This means that even if someone is not a Coupang member, any information registered by a member as a delivery address could have been leaked at the same time.
A non-member in his 50s, surnamed Jeong, said, "My daughter, who works, often has necessary items delivered to me through Coupang. However, since the Coupang data breach, I have not received any messages or information regarding the leak from Coupang." In response, a Coupang representative stated, "We have not yet been able to determine the exact number of people included in delivery address records, but we believe a significant portion are existing members. We will review the Commission's requirements and discuss them internally."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
