Data on 33.7 million Coupang accounts leaked by suspected ex-employee; secondary damage feared
The massive data breach at Coupang, South Korea's e-commerce giant — now confirmed to have exposed personal data for about 33.7 million customer accounts — is more than just a technical glitch.
It is a serious failure of corporate stewardship and a fundamental breach of consumer trust — a betrayal of numerous users who entrusted their personal information to a private company, expecting it to guard that data responsibly.
That the leak went undetected for five months after unauthorized access reportedly started around June 24 reveals systemic vulnerabilities in the company's cybersecurity practices.
The number of affected accounts the company reported to authorities ballooned from an initial report of 4,500 on Nov. 20 to 33.7 million on Nov. 29.
This huge discrepancy suggests either that the company’s monitoring systems were lamentably inadequate or that the incident’s severity was initially underestimated or underreported. Either way, it shows Coupang was sluggish in information protection, which is the basis of the digital economy.
Coupang has grown rapidly into an e-commerce behemoth through innovations such as early-morning delivery, but the fact that it remained in the dark about the breach for months raises questions about whether the company's focus on marketing and sales made it neglect data security and internal controls.
Coupang has clarified that payment information, such as credit card numbers and login credentials, was not compromised, yet customer anxiety remains. Shipping addresses, phone numbers, email addresses — all of which were exposed — are enough to enable phishing, scams, identity theft or other forms of misuse. Millions are subject to secondary damage.
The breach is not just a Coupang problem. This year, data leaks occurred in other major South Korean companies, including telecom carriers.
But Coupang's situation is especially alarming because of the sheer scale of the breach and the fact that it is not just an online retailer, but part of daily life for tens of millions of customers.
Stiff penalties are expected if Coupang is found in violation of the Personal Information Protection Act, with some speculating the fines could surpass the record penalty recently imposed on SK Telecom for a similar breach. SK Telecom was slapped with a fine of 134.8 billion won ($91.9 million) for the leak of personal information from 23.2 million customers.
Consumers reluctantly provide their information against their own wishes. They do so because it is mandatory. Keeping this in mind, companies must go to greater lengths to strengthen their internal data security systems.
According to emerging reports, the suspected involvement of a former Chinese employee believed to have already left Korea points to a critical lapse in internal access controls and risk management.
The former employee is said to have accessed Coupang's internal system from China after retirement. It is common sense to block a former employee's access immediately, but even this basic safeguard was not undertaken at Coupang.
If a company of Coupang's size and market dominance had hired a foreign employee who could access its customer data, a potential data leak abroad should have been a primary security consideration. The fact that the suspect may have left the country raises obvious challenges to accountability and makes recovery of data or prevention of further misuse more difficult.
Authorities, including the Ministry of Science and ICT and the Personal Information Protection Commission, should determine the cause of the incident through a thorough investigation.
The Coupang breach indicates that this is an era in which consumers' personal information cannot be entrusted to the goodwill and autonomy of companies.
When a company fails to protect user data — especially on such a large scale — there must be consequences significant enough to change behavior. A slap on the wrist would only make companies take data security lightly.
Platforms like Coupang must treat data protection as their lifeline and do their best to strengthen it.
khnews@heraldcorp.com
