A massive data breach at South Korea's leading e-commerce firm Coupang has exposed personal information of 33.7 million customers. Police are tracking a Chinese former employee suspect using an IP address, while the government considers fines up to 1 trillion won. The breach, starting in June, went undetected for five months.
Coupang confirmed on November 30 that unauthorized access via overseas servers began on June 24, leading to the leak of customers' names, phone numbers, email addresses, and delivery addresses. Initially reported as affecting 4,500 people, the breach actually impacted 33.7 million users, marking South Korea's largest data leak. Payment information and login credentials were unaffected, the company stated.
Police at the Seoul Metropolitan Police Agency are analyzing server logs and tracking the suspect using a secured IP address. The suspect is a former Chinese employee who left the company and South Korea. "We are analyzing server logs submitted by Coupang," an official said. "We have secured the IP used by the suspect in the crime, and are tracking them down." Authorities are verifying the suspect's nationality, departure, and connection to an email threatening disclosure. The investigation started internally last month and formalized last week after Coupang's complaint on network intrusion charges.
The Personal Information Protection Commission (PIPC) is probing whether Coupang violated safeguards like access control, rights management, and data encryption. Under the Personal Information Protection Act, fines could reach 3 percent of revenue, up to 1 trillion won ($770 million) based on Coupang's first three quarters' domestic revenue of 31.226 trillion won. This surpasses SK Telecom's 23.2 million-user breach, fined 134.8 billion won.
Coupang CEO Park Dae-jun stated, "We express our regret for the recent incident at Coupang that began on June 24." "We sincerely apologize for causing significant inconvenience and concern to the public." The company pledged to enhance data protection and cooperate with authorities. The government is collaborating with ministries to prevent secondary harms like voice phishing, with no reports yet. Coupang has faced prior internal leaks, incurring only 1.6 billion won in total fines. Civic groups urge stronger protections, including class actions and punitive damages.
