Chilled by 5.12 Million Won Overseas Payment Attempt with Coupang-Registered Card: "I Will Join Class Action Lawsuit"

Mr. Ohmo (35, male) received a text message from his card company at 6:30 a.m. on the 5th stating that a payment exceeding 5 million Korean won in United Arab Emirates currency was attempted but declined through the overseas ticket resale platform Viagogo. He had registered the card for automatic payment on Coupang. Provided by Mr. Ohmo

"[Web Notification] Overseas Declined, 12,776.94 United Arab Emirates Dirhams (approximately 5.12 million won), Viagogo event ticket."

Ohmo (35, male) unlocked his phone at 6:30 a.m. on the 5th after suddenly hearing it ring. It was a text message from his credit card company stating that a payment exceeding 5 million won in United Arab Emirates currency had been attempted but declined through the overseas ticket resale platform Viagogo. Ohmo had no connection to either Viagogo or the United Arab Emirates. If he had not set his overseas payment limit at 4 million won, the transaction would have gone through before he could do anything. Breathing a sigh of relief, Ohmo tried to figure out the cause. He recalled that he had registered this card for automatic payment on Coupang. Naturally, the recent Coupang personal information leak came to mind.

Ohmo had seen the news on November 29 that 34 million cases of personal information had been leaked from Coupang, but it did not feel very real to him. After all, personal information had been leaked multiple times before, and he had not suffered any damage so far. However, after almost falling victim to payment fraud, his perspective changed. Coupang's response also influenced his thinking. When Ohmo informed Coupang that an unauthorized payment had almost been made using his automatic payment card, the customer service representative repeatedly told him, "It has been confirmed that no payment information has been leaked. There have also been no confirmed cases of secondary damage from this incident," and advised him to check the payment route through his card company. Ohmo said, "Coupang's response was not reassuring, which made me even more dissatisfied," adding, "I plan to join a class action lawsuit against Coupang."

A large-scale personal information leak involving approximately 34 million cases occurred at Coupang, the number one e-commerce company in Korea. On the 2nd, a Coupang logistics center in Seoul was seen. Photo by Yonhap News Agency

Consumers are increasingly anxious every time news emerges of unauthorized payment attempts being made with cards registered on Coupang. There are also growing concerns that the already rampant voice phishing problem could worsen due to repeated personal information leaks.

Lee (32, male) testified that he almost fell victim to voice phishing following the recent USIM information leak at SK Telecom. Lee, who uses SK Telecom as his mobile carrier, received a call from an unknown number at work in September. He was told that he was allegedly involved in providing a bank account for illegal use and that he needed to transfer all his money to a designated account immediately. Flustered, Lee did not suspect voice phishing and headed to a nearby bank to send the money. Fortunately, a bank employee suspected it was voice phishing and reported it to the police on his behalf, saving him from the crisis. After catching his breath, Lee wondered, "How did they know my number?"

Lee said, "Voice phishing like this happens all the time, but after the Coupang incident, people around me either act like it's no big deal or say there's no more personal information left to steal," adding, "Individuals can't prevent personal information leaks, but the reality is that we must know how to protect ourselves from voice phishing."

Even those who were previously indifferent to personal information leaks agreed that things cannot continue this way after the Coupang incident. They stressed that at the very least, Coupang should be severely punished so that companies pay more attention to protecting personal data. Choi (32, male) also said he had not thought much about the Coupang incident, but believes Coupang must come up with proper countermeasures. Choi said, "Since many people have gotten used to dawn delivery and other services, I don't think many customers will leave Coupang," but added, "Even though nothing can be done about information that's already been leaked, companies should of course compensate affected customers appropriately. They also need to strengthen security so that consumers can feel safe." Choi, who became a father in September, added, "Still, I hope my child's personal information is protected."

On the other hand, there are still people who remain indifferent despite more than 33 million cases of personal information being leaked from Coupang. According to major foreign media outlets on the 2nd (local time), JP Morgan released a report stating that the Coupang data leak is unlikely to result in significant customer attrition, citing Coupang's dominant position in the e-commerce market. However, the report also included a shocking observation: "Korean customers seem less sensitive to data breaches."

Ryu (35, male) is one of those who is not particularly concerned about the Coupang incident. His reasoning is that his personal information has already been leaked so many times. Ryu said, "Not a single day goes by without receiving a spam text trying to induce voice phishing," and added, "Whether my information is leaked from five companies or ten, I don't think it makes much difference."

As Ryu pointed out, several major personal information leaks have already occurred this year alone. In April, SK Telecom experienced an unprecedented incident in which USIM information for 26.96 million people was leaked. Since August, KT had unauthorized small payments made on some customers' mobile phones in the Seoul metropolitan area, with about 22,000 phone numbers and International Mobile Subscriber Identity (IMSI) numbers leaked. Lotte Card also suffered a hacking incident in August, resulting in the leak of personal information for 2.97 million people, along with the card PINs and CVC codes for 280,000 cards.

Ryu was not always indifferent to personal information leaks. He recalled the July 2011 incident involving SK Communications, which operated Nate and Cyworld, where the personal information of 35 million customers, including IDs, names, and phone numbers, was stolen by hackers, causing a major controversy. However, in 2018, the Supreme Court ruled against the plaintiffs in a damages lawsuit filed by victims of the data breach against SK Communications, stating that there was no basis to conclude the company had violated its legal or contractual obligations to ensure data security.

Ryu said, "It wasn't just Nate and Cyworld. News of personal information leaks from major corporations has been repeated, and every time I heard it, I got annoyed," adding, "With data breaches happening so often, I've become numb to such news. Also, seeing companies that caused such massive problems continue to operate as usual, I don't think Coupang will take proper responsibility either." In fact, Coupang deleted the public apology posted on its website on November 30 after just three days. On December 2, Coupang CEO Park Daejoon stated at the National Assembly's Science, ICT, Broadcasting, and Communications Committee's inquiry on the Coupang breach that "we plan to send individual apology letters via email." Park also explained, "No payment information was leaked."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.