Chinese Developer Formerly Employed by Company Suspected of Data Theft
South Korea’s biggest online retailer, Coupang, is warning most of the nation’s populace that their data was exposed in a months-long, massive breach.
See Also: Going Beyond the Copilot Pilot – A CISO’s Perspective
Coupang said the breach appeared to be perpetrated using overseas servers, began on June 24 and continued until last month. It led to the theft of data pertaining to 33.7 million customers in a country of 52 million.
“Coupang is currently reviewing changes to its existing data security devices and systems to better protect customer data from future incidents,” said Park Dae-jun, Coupang’s CEO, in a statement posted to the company’s website on Sunday.
Exposed information includes names, email addresses, phone numbers, shipping addresses and some order information, the company said. Passwords and other account information, payment details and payment card were not exposed, it said.
The company said it’s putting in place enhanced cybersecurity defenses following the breach, which it’s continuing to probe. “Coupang blocked the unauthorized access route, strengthened internal monitoring and retained experts from a leading independent security firm,” a spokesperson told Information Security Media Group.
The count of breach victims equals two-thirds of the country’s population.
The breach came to light after a suspected former employee contacted the company, demanding a payoff for a promise to not release stolen data pertaining to over 30 million customers, reported state-affiliated news agency Yonhap.
Investigators believe the former employee is a Chinese national who fled the country, Yonhap reported.
Park told legislators at a Tuesday parliamentary hearing that the suspected hacker worked as a developer for systems designed to verify users. It’s not known if the suspect had accomplices, Yonhap reported.
The government promised a swift probe. “We must swiftly determine the cause of the accident and strictly demand accountability,” said South Korean President Lee Jae Myung on Tuesday, adding that he was shocked the breach ran for five months before being discovered, Yonhap reported.
Founded in 2010, Coupang is often described as being the Amazon of South Korea, and runs a popular Rocket Fast delivery service. As of June 30, the company counted 24.7 million active customers, up 10% year on year.
South Korea’s independent privacy watchdog, the Personal Information Protection Commission, said it received two breach notifications from Coupang – on Nov. 20, reporting that 4,500 people appeared to be impacted, and again on Saturday with the revised victim count – leading to it launching a “prompt, thorough and rigorous investigation on Coupang.”
The commission said it will focus on whether the company violated its obligations regarding security safeguards such as access controls, access rights management and encryption. This past weekend, South Korean government officials said they convened “a high-level emergency response meeting” involving multiple government agencies, police and the commission.
The e-commerce giant could face significant fines if regulators identify data security shortcomings.
The ministry’s Korea Internet & Security Agency warned Coupang customers to beware of potential phishing attacks that employ the stolen data.
Coupang’s stock, which trades on the New York Stock Exchange under the ticker symbol CPNG, dropped 7% in value following news of the breach coming to light.
Even so, Wall Street analysts forecast minimal impact from the breach in terms of customer churn, given Coupang’s dominant position in the e-commerce market. JPMorgan said in a report that “a significant one-off loss could occur” for the company if it either opts to voluntarily compensate affected customers or if the PIPC imposes a fine, reported Reuters.
Fourteen Coupang users have already sued the company in Seoul Central District Court, seeking $137 each, reported the Chosun Daily. The complaint argues that leaked home addresses and purchase histories raise concerns about privacy violations and potential secondary harm such as voice phishing. Legal observers told the newspaper the breach could lead to the largest class action lawsuit in South Korean history involving personal data.
As investigations continue, Coupang faces rising pressure from regulators, customers and industry experts who say the incident exposes deeper governance failures across South Korea’s most critical digital commerce platforms.
The breach of Coupang follows two other major breaches affecting South Koreans.
The country’s largest mobile operator, South Korean Telecom, reported in April suffering a data breach that exposed subscriber information. The telecom later said attackers gained access to personal information pertaining to over 23 million subscribers. In August, the privacy commission fined SK Telecom $97 million for data security violations.
Regulators are also probing a breach of the country’s largest cryptocurrency exchange, Upbit, owned by Dunamu, which on Thursday reported that hackers stole Solana-affiliated assets worth 44.5 billion won ($31 million). The company said it will compensate all affected crypto holders using its own assets. South Korean government officials on Friday attributed the attack to North Korea’s Lazarus Group.
With reporting by Prajeet Nair in Bengaluru, India.