Coupang apologizes over info leak affecting 33.7 mil. customers

A notice by Coupang shows, Sunday, that a customer's personal information has been leaked. The company apologized over the massive data breach that allegedly affects 33.7 million customers. Yonhap

Coupang offered a public apology over a massive customer data leak, Sunday, pledging efforts to prevent further issues.

The apology came after it was made public that the number of affected people has reached 33.7 million — presumably all Coupang customers — and the cyber intrusion allegedly began five months ago.

Unlike other data leak cases committed by outside cyber criminals, it is suspected that the incident at the nation’s largest e-commerce platform operator was committed by a former employee who is a Chinese national, highlighting the company’s lax internal management.

The company and the government on Sunday confirmed that the data of some 33.7 million customers had been leaked, making it one of the largest privacy breaches in decades. That figure was a sharp jump from 4,500, its initial estimate of affected customers announced on Nov. 18.

The number of victims could be the same as Coupang’s total number of customers with memberships. The company has not disclosed those numbers, but when it released its third-quarter business performance earlier this month, it said its latest monthly active users numbered 24.7 million.

"We express regret over the recent incident ... we apologize for causing inconvenience and concern," the company said in a statement issued under the name of Park Dae-jun, CEO of Coupang Corp. which handles the company's Korean fulfillment and logistics operations.

"We'll closely cooperate with relevant authorities to prevent further damage ... we are also reviewing what changes we can make to the data security system, so we can better protect customer information."

Coupang Corp. CEO Park Dae-jun apologizes to the public over the company's data leak affecting 33.7 million customers, at Government Complex Seoul, Sunday. Yonhap

Coupang said the leaked information includes customers’ names, emails, delivery addresses and, for some, purchase histories. However, their payment details, credit card numbers and login information remained protected, it added.

The company said the megascale breach, based on its ongoing investigation, is presumed to have begun on June 24 and continued until recently through unauthorized access via its overseas servers. This means the intrusion went undetected for nearly five months, raising concerns that customers may face further issues.

As to the concerns, it said its customers “need not take any cautionary action with their Coupang accounts.” But it also said in a statement, “We advise our customers to be careful with any phone call, text message or other communication that falsely claims to represent Coupang.”

Police suspect that a former Coupang employee from China committed the breach. The individual has already quit the company and left Korea, raising concerns that the investigation may reach a dead end.

The firm on Sunday declined to say whether it identified the former employee as the main culprit.

After learning about the data breach, the company reported the incident to the National Police Agency and government agencies including the Korea Internet & Security Agency and Personal Information Protection Commission (PIPC).

The government, police and the company have formed a joint investigative team. An emergency meeting on Sunday was attended by Deputy Prime Minister and Minister of Science and ICT Bae Kyung-hoon, Minister for Government Policy Coordination Yoon Chang-ryul, PIPC Chairperson Song Kyung-hee and acting Commissioner General of the National Police Agency Yoo Jae-sung.

The government said it is investigating whether Coupang violated its duty for security.

Coupang's headquarters in Seoul's Songpa District, Sunday / Yonhap

In terms of impact, Coupang’s data breach surpasses most recent incidents encountered by large companies here.

Most recently, telecom giant SK Telecom suffered a data leak affecting 23.24 million customers. The company first admitted in April that a hacker had breached its database, and in May notified its customers that there “could be possibilities of leakage of personal information.” Later, the company broke the news of the large-scale data breach, prompting hundreds of thousands of customers to line up outside its offline stores to replace their potentially compromised USIM cards.

In 2008, Shinsegae Group’s e-commerce platform subsidiary Gmarket suffered a privacy breach affecting 18 million customers. GS Group’s refinery subsidiary, GS Caltex, sustained a data breach of 11 million customers that same year.

In 2011, NATE Communications, then operating social media platforms like NATE and Cyworld, had 35 million members’ accounts breached. The incident is one of the few that can match the scale of Coupang’s data leak.

Given the large number of affected people, it is speculated that the government’s penalty for Coupang may surpass the one it imposed on SK Telecom. PIPC in August fined SK Telecom 135 billion won ($92 million) for its negligence in allowing the breach, the largest fine slapped on a single company since the commission’s launch in 2020.

Besides the customer information leak, Coupang is currently facing public criticism over the severity of its workplace environment for night shift workers, as more than 20 workers have died on duty since 2020. It has also prompted a special prosecutors’ investigation after its subsidiary, Coupang Fulfillment Services, modified its internal regulations to avoid paying severance to day laborers with over a year of accumulated service.