South Korea Probes Massive Coupang Data Breach Affecting 33 Million Customers
South Korean police have launched an investigation into a major data breach at e-commerce giant Coupang, which exposed the personal information of more than 33 million users. Authorities say the incident is the country’s largest data leak in over a decade, prompting fresh concerns over cybersecurity and data protection standards.
Breach Linked to Authentication Flaws
According to South Korea’s Science Minister Bae Kyung-hoon, hackers exploited authentication vulnerabilities in Coupang’s servers. The breach reportedly began on 24 June, but the company did not detect it until 18 November. Investigators are now tracing IP addresses and examining possible technical weaknesses that may have allowed the attack to occur through overseas servers.
Coupang, backed by Japan’s SoftBank Group, confirmed that the compromised data included customers’ names, phone numbers, email addresses, shipping details, and parts of their order histories. However, it said no payment information or login credentials had been exposed.
Former Employee Suspected in Breach
Broadcaster JTBC reported that Coupang’s internal probe identified a former Chinese employee as a possible suspect. The individual, who had previously handled authentication tasks, allegedly accessed sensitive customer data using an active authentication key that remained valid even after their employment ended.
Lawmaker Choi Min-hee said in a statement that the breach highlighted serious security lapses in Coupang’s system. Police and Coupang have declined to comment on any potential suspects while investigations continue.
Growing Legal and Political Fallout
Public outrage over the breach is mounting. By Monday afternoon, more than 10,000 customers had expressed interest in joining a potential class action lawsuit seeking damages of over 100,000 won ($68) per person, according to lawyer Ha Hee-bong.
Coupang, founded in 2010 by Korean-American entrepreneur Bom Kim, is South Korea’s leading e-commerce platform, surpassing traditional retail giants such as Shinsegae. The company has also expanded into food delivery, streaming and fintech services, making the scale of this breach particularly significant.
Calls for Stronger Data Protection
In response to the incident, Kang Hoon-sik, the South Korean presidential chief of staff, said the country’s repeated data breaches since 2021 point to “structural loopholes” in its personal data protection framework. He added that the Coupang case should serve as an opportunity to strengthen punitive measures against companies that fail to safeguard customer information.
In August, SK Telecom, South Korea’s largest mobile carrier, was fined 134 billion won ($96.5 million) after a cyberattack exposed the data of nearly 27 million users. The government is now reviewing whether Coupang violated data protection laws and failed to deactivate employee credentials properly.
The investigation remains ongoing as authorities work to identify the perpetrators and close the security gaps that allowed the breach to occur.
with inputs from Reuters
