South Korea's largest e-commerce firm Coupang is embroiled in controversy after a data breach exposed personal information of 33.7 million customers. The leak occurred from June to November, undetected for five months. Authorities are considering fines and class-action lawsuits.
Coupang's data breach occurred from June to November via overseas servers, allegedly perpetrated by a former Chinese national developer who quit in December 2024. The employee exploited authentication tokens and a signing key that Coupang failed to revoke or rotate after departure, exposing a major cybersecurity flaw. Leaked data includes names, addresses, phone numbers, emails, and some purchase histories, but login credentials and credit card information remain secure, according to the company.
Coupang CEO Park Dae-jun told parliament on December 2 that "the suspect could be an individual or multiple people," declining further details due to an ongoing police probe. The company first reported to the Korea Internet & Security Agency on November 18, citing 4,500 affected customers, but updated to 33.7 million on Saturday. This marks Korea's largest-ever breach, impacting nearly all customers.
The Financial Supervisory Service has begun an on-site inspection of Coupang Pay, while the Fair Trade Commission (FTC) may investigate jointly with the consumer agency. An FTC official said, "We can indirectly look into the incident if affected customers bring the case to the consumer agency." The U.S. Securities and Exchange Commission (SEC) could impose sanctions for non-disclosure, as regulations require reporting material cybersecurity incidents within four business days.
Customers are canceling accounts and preparing class actions, with 14 filing a lawsuit Monday at Seoul Central District Court seeking 200,000 won ($136) each in compensation. Analysts predict limited customer loss due to Coupang's 22.7% market share last year, but shares fell 5.36% Monday before rebounding 0.23% Tuesday to $26.71. President Lee Jae-myung stated at a Cabinet meeting Tuesday, "The damage is massive, at roughly 34 million cases, but even more startling is the fact that the company did not realize the breach had occurred for five months," calling for tougher penalties. Founder Bom Kim, a U.S. citizen, faces calls for moral responsibility despite evading legal designation as the company's head.
