Probe finds massive access to Coupang user data

An investigation into a data breach at Coupang has found that more than 33 million personal information records were exposed and that a delivery address list page containing names, phone numbers and addresses was accessed roughly 150 million times.

The Ministry of Science and ICT said Monday at the Government Complex Seoul that a joint public and private investigation team had released the findings of its probe. Authorities analyzed 25.6 terabytes of web and application access logs and conducted a forensic examination of storage devices from the attacker’s personal computer submitted by Coupang.

Investigators confirmed that the breach compromised 33,673,817 user records containing names and email addresses. While about 33.67 million user accounts were affected, the attacker accessed the delivery address list page, which stores shipping information, 148,056,502 times. Each account can store up to 20 delivery addresses, including those of family members or acquaintances, raising concerns that the scope of exposed personal data may be larger than initially estimated. In addition, passwords for shared building entrances were viewed more than 50,000 times, along with names, phone numbers and addresses, through the delivery address editing function.

The investigation team also found indications that sensitive personal data may have been transmitted to cloud servers located overseas, though the Ministry of Science and ICT said it could not confirm whether any such transfers actually took place.

The government plans to impose an administrative fine of up to 30 million won, citing Coupang’s failure to report the breach within 24 hours of becoming aware of it, as required under the Information and Communications Network Act. Penalties related to the personal data leak itself will be handled separately by the Personal Information Protection Commission.


최지원기자 jwchoi@donga.com