Coupang data leak exposes security lapses

A joint public and private investigation released on Feb. 10 found that during Coupang’s large-scale data breach, a delivery address list page displaying customers’ names, phone numbers and home addresses was accessed about 150 million times. The findings indicate that the scope of the breach was far larger than initially disclosed. Because the page often includes personal information belonging to family members or friends who exchange gifts, the potential scale of harm may extend even further.

The investigation showed that a former Coupang employee responsible for the breach extracted about 33.67 million records of personal data, including names and email addresses, from the “edit my information” page after leaving the company. Late last year, Coupang abruptly released the results of what it described as an internal investigation, stating that roughly 33 million records had been accessed but that only about 3,000 had been stored. The announcement drew criticism that the company was attempting to downplay the extent of the damage. The government has now officially concluded that the breach involved more than 33 million records.

Investigators also confirmed that the former employee accessed the delivery address list page more than 100 million times. In addition, the individual viewed the delivery address editing page, which allows access to shared building entrance passwords, about 50,000 times. The order list page showing recent transactions was accessed roughly 100,000 times. Officials warned that beyond the risk of such information being sold for advertising or marketing purposes, exposure to criminal groups involved in voice phishing or other fraud could result in irreversible harm.

The findings also revealed that Coupang’s security systems were effectively defenseless during seven months of repeated external intrusion. The perpetrator used a forged electronic access badge, prepared while still employed at the company, which allowed unrestricted entry into internal systems even after resignation. Investigators said the breach could have been prevented if Coupang had verified the authenticity of the electronic badges used to access its servers.

Even more concerning, the investigation found that Coupang was already aware of vulnerabilities in its badge-based authentication system. The company had identified weaknesses through simulated hacking exercises but failed to implement corrective measures. The lax security of a technology giant with annual revenue exceeding 40 trillion won ultimately resulted in harm affecting tens of millions of customers.

Government sanctions, however, are limited. Under the Information and Communications Network Act, authorities may impose fines for failing to report a breach within 24 hours of discovery, but the maximum penalty is only 30 million won. The Personal Information Protection Commission, which will make the final determination on the scale of the leak, has the authority to levy fines of up to 3 percent of a company’s total revenue. While a thorough and impartial investigation must come first, any punishment warranted by the findings should be applied without delay.