A significant data breach at South Korea’s Coupang Corp. has exposed the personal information of over 33.6 million accounts, as confirmed by a joint investigation between public and private sectors. This alarming figure far exceeds the company’s initial claim of only 3,000 compromised accounts, raising questions about Coupang’s transparency in handling the incident.
The breach, reported to have occurred on November 17, 2023, involved a wide range of personal data, including names, phone numbers, email addresses, and delivery information. This incident potentially impacts nearly two-thirds of South Korea’s population, given Coupang’s popularity as a leading e-commerce platform, known for its overnight delivery service.
Regulatory Response and Investigation Findings
According to South Korea’s Ministry of Science and ICT, the investigation revealed that Coupang failed to adhere to legal requirements by delaying the reporting of the breach. The company became aware of the incident at 4 p.m. on November 17 but only reported it to the authorities at 9:35 p.m. on November 19, exceeding the mandated 24-hour notification period. As a result, Coupang faces potential fines of up to 30 million won (approximately USD 20,560) for this lapse.
The ministry highlighted that Coupang’s initial assessment was misleading, as the company had claimed that only a small number of accounts were affected. This assertion was criticized as “ill-intended” by officials, who emphasized the need for accurate reporting in such serious matters.
The joint probe analyzed an extensive 25.6 terabytes of web access logs, confirming the leak of 33.67 million users’ names and email addresses. Additionally, the investigation uncovered that the breach included sensitive information such as shared entrance door passwords, raising concerns about the number of victims potentially increasing. The ministry explained that users can deliver goods to family and friends by entering their names and addresses, which further complicates the scope of the breach.
Security Vulnerabilities and Future Measures
The investigation revealed that attackers gained access to Coupang’s servers by exploiting vulnerabilities in the company’s authentication system. The hackers managed to forge digital passes, allowing them to bypass standard authentication procedures. This breach has prompted the ministry to demand that Coupang implements preventive measures against future incidents.
In light of the findings, the government will require Coupang to submit a plan detailing steps to prevent a recurrence of such breaches by the end of this month. Following this, an inspection of the implementation of these measures will take place from June to July 2024.
Furthermore, the ministry has initiated a separate inquiry into Coupang’s failure to preserve critical evidence related to the breach. Records from a five-month period in 2024 and application access logs from late May to early June 2025 could not be located, indicating serious shortcomings in the company’s data management practices.
As the investigation unfolds, it highlights the critical need for robust cybersecurity measures and transparent reporting practices in the rapidly evolving digital economy. The implications of this breach extend beyond corporate accountability, affecting the trust of millions of users who rely on Coupang for their shopping needs.
