The South Korean e-commerce giant Coupang has confirmed a massive data breach involving 33.67 million user records, including names, email addresses, phone numbers, and delivery details. An official investigation by the Ministry of Science and ICT, along with a public-private joint investigation team, has revealed the extent of the breach, as well as significant lapses in Coupang’s data security protocols.
Key Findings of the Breach
The investigation confirmed that 33.67 million personal information records, including names and email addresses, were compromised. Additionally, the attacker accessed Coupang’s "Delivery Address List" page approximately 148 million times. This page contains sensitive information such as names, phone numbers, delivery addresses, and apartment entrance passwords, though passwords were masked with special characters on this page.
In some instances, the attacker also accessed the "Edit Delivery Address List" page, which displays delivery addresses and apartment entrance passwords in plain text. This page was viewed over 50,000 times. The investigation team expressed concerns that the scale of the breach could extend beyond the confirmed figures, as many Coupang users store delivery details for family members and acquaintances under their accounts.
Choi Woohyuk, Director of the Information Protection and Network Policy Office at the Ministry of Science and ICT, stated, "Under the guidelines of the Personal Information Protection Act, the fact that an attacker has viewed the data can be regarded as indicating a potential leakage of that information."
sbb-itb-eece389
Attack Methods and Coupang‘s Vulnerabilities
The attacker, a former software developer at Coupang, exploited vulnerabilities within the company’s authentication system. While employed at Coupang, the attacker was responsible for designing and managing the authentication system. By stealing the signing key for electronic access passes and forging these passes, the attacker bypassed Coupang’s authentication framework to access user data. The breach involved the use of an automated web crawling tool and 2,313 different IP addresses.
The investigation found that Coupang lacked critical safeguards to detect or prevent such forgery. Coupang did not have a procedure to verify the authenticity of electronic access passes, nor did it renew signing keys when key personnel left the company. These lapses were compounded by a failure to log issuance records systematically, leaving unauthorized access undetected for an extended period.
Delayed Reporting and Log Deletions
Coupang violated legal requirements by failing to promptly notify authorities of the data breach. Under the Act on Promotion of Information and Communications Network Utilization and Information Protection, companies must report breaches to the Ministry of Science and ICT or the Korea Internet & Security Agency (KISA) within 24 hours of discovery. Coupang delayed notification for two days after the incident was reported internally to its Chief Information Security Officer.
Further compounding the issue, Coupang failed to comply with a government data preservation order issued in November of last year. The company did not adjust its automatic log retention policies, resulting in the deletion of critical web and app access logs spanning several months. These deletions have hindered the investigation into the full extent of the breach.
Response and Next Steps
The Ministry of Science and ICT has announced plans to impose an administrative fine on Coupang for its delayed reporting of the breach. The company’s failure to comply with the data preservation order has also been referred to law enforcement for further investigation. Coupang has been ordered to submit a detailed plan for implementing recurrence prevention measures within this month. The government will review the company’s progress by mid-year and may issue corrective orders if necessary.
Despite the widespread nature of the breach, the investigation confirmed that financial payment information, such as credit card numbers and bank account details stored in Coupang Pay, was not compromised. Additionally, no evidence of secondary damage caused by the leaked information has been identified so far.
An official from the Personal Information Protection Commission cautioned, "The investigation is still ongoing, so it is difficult to specify when it will be completed." Further details, including the finalized scope of the breach, will be announced once the commission concludes its investigation.
Unprecedented Scale of the Breach
This breach is considered the worst on record in South Korea, surpassing the economically active population of 29.69 million people. The lack of robust security measures and delayed responses from Coupang has raised significant concerns about the company’s ability to safeguard user data. Regulators have emphasized the need for stringent corrective actions to prevent such incidents in the future.
The Ministry of Science and ICT has indicated that, should Coupang fail to make the required improvements, it may revoke the company’s Information Security Management System (ISMS) and Personal Information Protection Management System certifications.
As investigations continue, this incident serves as a stark reminder of the critical importance of robust data security measures in the era of digital commerce.
