A large-scale data leak occurred in Coupang, Korea ‘ s largest electrician platform, which affected 3.3.7 million users, equivalent to three out of four adults in the country. This is the fourth time that Coupang has been punished for data leaks, and its customer information management mechanism and the ability of staff to control access to data has been strongly questioned.
The Deputy Prime Minister for Science and Technology and Minister for Science and Technology Information and Communications, Pei Kyung-hoon, at an emergency meeting held on Sunday, revealed that: “Investigators confirmed that the assailants had used the Coupang server authentication loophole to access over 30 million customer accounts without log-in and to obtain information on names, mailboxes, receiving addresses and telephone numbers. The Government has set up a joint civilian working group to conduct a detailed investigation and is verifying whether Coupang violated his security obligations related to the protection of personal information. The survey shows that, from 24 June until recently, a visit from an overseas server continued to steal client data. Despite Coupang’s claim that “the invasion route used by third parties was blocked after an unauthorized visit was confirmed”, when the general concern of the user was that the impact might be far more than anticipated, the company not only failed to detect the leak in a timely manner, but also misinformed the impact initially. According to Korean media reports, Coupang reported on 20 November that “18-day confirmation that 4,500 customer account information had been leaked without authorization” and reported the same day, but that the number of impact accounts was revised to 3.3.7 million almost 10 days later. It is worth noting that the third quarter of Coupang’s financial report shows that the number of active clients in its product service sector is 247 million, and that this leak is much larger than that figure. The incident also updated the record of the highest penalty for violations of Korean personal information — the previous leak of the SK Telecommunication record of 23.24 million customers was punished with 134.8 million won (approximately $9.18 million). More threatening is the fact that the leak was found to have originated from an internal loophole and that the company had not been able to detect it for five months. Coupang admitted on 20 November that no signs of external invasion had been discovered, and the Korean media reported that a foreign former employee was under investigation. CEO Coupang Kim Van Sing issued a statement of apology on Sunday: “Expressed regret for causing major public distress and was unable to comment on the investigation.” The Coupang flag has over 10,000 employees, and only IT and system personnel of this size should have specific access to client information. Although Coupang had strengthened the security architecture through the separate Chief Information Security Officer and Chief Privacy Officer, it had clearly failed to protect against internal threats.
According to industry experts, “Coupan, who originally thought that IT talent would be highly paid, would have perfected data protection, but customer data protection was the most basic requirement and the management of its competencies could be seriously flawed”. Professor Park Chun-sik of Cyber Security, Seoul Women’s University, stressed that: “If a leak is triggered by a staff member, internal security management is defunct. The damage caused by internal events often goes far beyond external attacks.” This was the fourth time that Cupang had caused a data accident due to an internal error: in October 2021, the application of an update error exposed 14 customers for one hour; between August 2020 and November 2021, approximately 135,000 couriers were transferred to restaurants; and in December 2023, the vendor management system leaked 22.44 million customer data. The cumulative fine for the first three incidents was approximately 1.6 billion won. In contrast to the year-to-year rise in revenues, Coupang ‘ s investment in information security is clearly inadequate. Data from the Korea Internet Renewal Agency show that its investment in cybersecurity this year is approximately 89 billion won, representing only 4.6 per cent of total IT expenditure. The share of the security budget in total IT investment has declined for the fourth consecutive year: from 7.1 per cent in 2020 to 6.9 per cent in 2023, and further to 5.6 per cent last year. The security inputs of Coupang, which account for only 0.2 per cent of total receipts, are significantly lower than the 0.7 per cent of Kakao and SK telecommunications, or 0.4 per cent of Nave and KT, compared to the major technology enterprises.
This data leak is taking place at a time when South Korea’s cyber-security governance is at its core, and it has also exposed serious loopholes in this area in all walks of life. Since the hacking of SK telecommunications last April, which led to the leaking of USIM server data for more than 23 million users, three major mobile operators in Korea have reported data leaks, and Lotte credit cards have disclosed unauthorized access to customer information exceeding 200 GB, affecting nearly 3 million people.