The unauthorized leak of personal information from 33.7 million Coupang accounts has sparked widespread nationwide repercussions. With virtually the entirety of user information leaked from Korea's largest e-commerce platform, this incident is considered a massive breach, comparable to the 2011 Nate Cyworld incident. Initially, Coupang reported that only 4,500 accounts were exposed on the 18th, but subsequent investigations revealed a significant increase in the scale of the breach. The data, including names, email addresses, phone numbers, shipping addresses, address books, shared entrances, passwords, and some order information, is being included, raising concerns about potential secondary damage, including voice phishing and smishing.
Coupang stated that financial and authentication information, including payment information, credit card numbers, and login passwords, were securely protected. The company believes unauthorized access via overseas servers has been ongoing since June 24th, and has blocked the access route and is continuing the investigation by bringing in external security experts. However, criticism of poor management is growing, as the leak went undetected for over five months.
The government has also launched an emergency response. The Ministry of Science and ICT, the Personal Information Protection Commission, and the National Police Agency plan to form a joint public-private investigation team to conduct a thorough analysis of the cause of the incident and develop measures to prevent a recurrence. The Seoul Metropolitan Police Agency's Cyber Investigation Unit is investigating based on the complaint filed by Coupang, and a former Chinese employee has emerged as a prime suspect. The employee, who is currently residing overseas, reportedly sent a threatening email claiming to be in possession of personal information and threatened to disclose the leak if security measures were not strengthened. While no financial demands were made, the possibility that the information may have already been shared with third parties is being investigated.
While Coupang advised customers that no special action was required, it urged them to remain vigilant amid the heightened risk of fraudulent calls and messages. Civil society and the security industry are increasingly demanding that Coupang provide a responsible explanation and take measures to protect victims.
