A joint public-private probe into a major data breach case at the South Korean unit of U.S.-listed e-commerce giant Coupang Inc. has confirmed that over 33.6 million accounts have been exposed, Seoul’s science ministry said Tuesday. File Photo by Thomas Maresca/UPI
A joint public-private probe into a major data breach case at the South Korean unit of U.S.-listed e-commerce giant Coupang Inc. has confirmed that over 33.6 million accounts have been exposed, the science ministry said Tuesday, suggesting the company may have sought to play down the incident by initially claiming only some 3,000 had been compromised.
The South Korean unit, Coupang Corp., also failed to promptly report the incident despite related regulations, according to the Ministry of Science and ICT.
The ministry said it will impose a fine on the company for the delayed report and pursue a formal investigation, stressing that the company has failed to preserve key evidence despite its earlier request.
The joint probe came after Coupang reported a massive data breach in November, in which personal information, including names, phone numbers, email addresses and delivery details, was exposed, apparently affecting nearly all of the company’s user base.
Coupang, citing its own investigation, initially claimed that data from only 3,000 accounts had been leaked, drawing wide public criticism for making what the science ministry earlier called “ill-intended” unilateral and unfounded claims.
On Thursday, the retail giant said it has discovered an additional data leak involving more than 165,000 customer accounts.
The ministry said the outcome of the joint probe did not include the newly reported 165,000 accounts.
The retail giant, offering overnight delivery of groceries and daily necessities, is one of the most popular shopping platforms in South Korea, with the breach possibly affecting about two-thirds of the country’s entire population.
The joint probe analyzed 25.6 terabytes of web access logs, which showed that 33.67 million users’ names and email addresses were leaked from the company’s system, the ministry said.
It added the delivery section at Coupang’s website had been viewed about 148 million times and that the exposed information included shared entrance door passwords.
This suggests the number of victims of the breach may further rise, considering Coupang account holders can have goods delivered to family members and acquaintances by entering their names, phone numbers and addresses, the ministry explained.
The joint probe team said the “attackers” or hackers gained access to Coupang’s servers by exploiting vulnerability in its authentication system.
While those that log into Coupang are issued a digital pass validated by the company’s servers, they forged such passes, bypassing normal authentication procedures, according to the team.
The science ministry said it plans to impose fines on Coupang for belatedly reporting the breach to authorities.
According to the joint probe, Coupang became aware of the breach at 4 p.m. on Nov. 17 but did not report the incident to authorities until 9:35 p.m. on Nov. 19, far exceeding the 24-hour requirement.
Under the law, such delays are punishable by a fine of up to 30 million won (US$20,560).
The ministry said it will also call for a separate investigation into Coupang for failing to preserve evidence, noting web access records for a five-month period in 2024 and application access records from late May to early June of 2025 could not be found.
The government will instruct Coupang to submit measures to prevent a recurrence of a data breach this month and inspect their implementation from June to July, the ministry added.
Copyright (c) Yonhap News Agency prohibits its content from being redistributed or reprinted without consent, and forbids the content from being learned and used by artificial intelligence systems.
