A massive data breach at e-commerce giant Coupang exposed personal information of 33.7 million customers from June 24 to November 8. Officials revealed the attacker exploited the company's electronic signature key, prompting a thorough government investigation. The incident has heightened public concerns over South Korea's data protection capabilities.
Coupang confirmed last week that personal information including names, phone numbers, email addresses, delivery details, and recent purchase histories of 33.7 million customers was compromised. This affected nearly all members of the platform, which has 34 million monthly active users, shaking public trust. Second Vice Minister Ryu Je-myung stated in parliament, 'As we review all log data from July last year to November this year, we have confirmed that private data from more than 30 million accounts was leaked,' explaining the attack ran from June 24 to November 8. The attacker exploited Coupang's electronic signature key required to access servers.
Coupang CEO Park Dae-jun identified the suspect as a former developer on the verification system team, saying, 'The suspect could be an individual or multiple people,' while declining further details due to the ongoing police investigation. Police are tracking the suspect using an IP address. The breach follows a series of major leaks this year involving SK Telecom, KT, and Lotte Card, raising concerns over national data protection.
President Lee Jae-myung, during a Cabinet meeting, expressed shock that 'the scale of the damage is massive, involving about 34 million cases, but it is truly shocking that the company failed to detect the breach for five full months,' ordering a thorough probe and accountability. He urged harsher penalties, implementation of punitive damages based on international standards, and a paradigm-shifting digital security framework. Users are changing passwords and scrutinizing messages amid fears of voice phishing, with online groups mobilizing for collective action. In Korea, lacking broad class actions unlike the U.S., public pressure and regulatory scrutiny will likely drive responses, as seen in the 2016 Interpark hack where only 2,400 of 10.3 million victims joined suits.
