Coupang's CEO, Park Dae-Jun, has offered an apology to 33.7 million of the company’s customers whose accounts were compromised in a recent data breach.
South Korea’s largest online retailer, Coupang, experienced a data breach that affected 33.7 million customer accounts. The exposed information includes names, phone numbers, email addresses, shipping addresses, and order histories.
Coupang is currently under investigation by South Korean regulators to determine the company's culpability in the breach.
Coupang Confirms 33.7 Million Breached Accounts
South Korean e-commerce giant Coupang has confirmed that personal information from 33.7 million customer accounts was compromised due to unauthorized access. This breach impacts nearly two-thirds of South Korea’s total population.
“We sincerely apologize once again for causing our customers inconvenience,” stated Coupang’s CEO Park Dae-jun in a message published on the company’s website.
The company first detected the breach on November 18, initially reporting that approximately 4,500 customer accounts were affected. However, subsequent investigations revealed that the number of compromised accounts had risen to 33.7 million.
The exposed data includes names, email addresses, phone numbers, shipping addresses, and certain order histories. Crucially, more sensitive information such as payment details or login credentials was not compromised.
Cybersecurity experts have issued warnings that the compromised data could still be exploited for identity theft, phishing attacks, and other malicious activities.
The company reported having 24.7 million active commercial users in the third quarter. This suggests that the breach may have also affected data from former customers and dormant accounts.
Some of Coupang’s affected customers are reportedly preparing to file a class-action lawsuit in response to the incident.
The Minister of Science and ICT, Bae Kyung-hoon, confirmed that the government convened an emergency meeting and is investigating whether Coupang violated safety regulations concerning personal information protection.
The Ministry of Science and ICT has established a joint investigation team to analyze the root cause of the incident.
According to reports from Yonhap News Agency, a former Chinese employee at Coupang is suspected of being behind the breach, though that individual has since left the country. Coupang filed a formal complaint with the police earlier this month, but did not name a specific suspect in its filing.
Frequent Cyber Attacks in South Korea
Earlier this year, SK Telecom, South Korea’s largest mobile carrier, experienced its own significant breach that exposed phone numbers, subscriber identification numbers, and SIM authentication keys belonging to 23.2 million users.
In August, South Korea’s privacy regulator imposed a record fine of 134.8 billion won ($97.2 million) on SK Telecom. The regulator cited "basic security failures and poor management" as reasons for the company's vulnerability to cyber attacks.
The regulator found that SK Telecom had failed to encrypt 26.1 million SIM authentication keys, leaving them exposed in plain-text databases. Furthermore, the company reportedly ignored intrusion detection logs and did not apply available security patches.
Other major companies have faced similar security challenges. These include the telecommunications firm KT Corp. and financial services company Lotte Card, both of which announced data leaks in recent months.
The record fine imposed on SK Telecom earlier this year demonstrates that South Korean regulators expect companies to prioritize customer protection. Coupang could face comparable consequences depending on the findings of the ongoing investigation.
Coupang has stated its full cooperation with the authorities and has confirmed that the unauthorized access route has been blocked. The company’s internal monitoring systems have reportedly been enhanced.