Korean E-Tailer Coupang Reports Data Breach Involving 33 Million Customers

Korean online retailer Coupang announced that a former employee has admitted to improperly accessing data of approximately 33 million customers. According to the company, the accused deleted the stolen data before any further damage could be done.

In a detailed post published on Christmas Day, Coupang revealed that it partnered with cybersecurity firms Mandiant, Palo Alto Networks, and Ernst & Young to conduct a forensic investigation. They identified the suspect and obtained sworn statements confirming his involvement.

The investigation suggests that the perpetrator stole a security key during his employment and used it to access customer records. The data accessed included around 3,000 customers' order histories and building access codes, which delivery personnel use to place packages inside apartment complexes.

The suspect reportedly used both a PC and a MacBook Air to run the attack. After surrendering his PC, investigators found the script used on one of its hard drives. Facing pressure from media reports, the suspect destroyed evidence by smashing his MacBook Air, placing it and some bricks into a Coupang canvas bag, and dumping it into a river.

Interestingly, investigators located the destroyed MacBook in the river and managed to read its serial number, which matched the serial number linked to the suspect's iCloud account. A forensic expert previously explained that saltwater can cause significant electronics damage, which may have helped the suspect try to destroy evidence.

Coupang's investigation states that the accused only accessed and retained data of about 3,000 accounts and deleted it after becoming aware of media coverage. The company's statement emphasizes that their findings are consistent with the suspect's sworn accounts, and no evidence contradicts his statements.

Despite the seemingly limited scope of data accessed, the incident affects more than half of South Korea’s population, which totals around 52 million. In response, Coupang plans to give affected customers a ₩50,000 ($35) voucher—a move that could cost the company approximately $1.17 billion.

South Korea’s government has also launched an inquiry into Coupang’s security practices. Past incidents, such as a data breach at SK Telecom, suggest that penalties could be substantial if violations are confirmed.

Related Incidents

• South Korea’s plan to require face scans for SIM card purchases amid rising security concerns.
• The 2011 story about using saltwater to destroy electronic evidence.
• Other recent breaches affecting telecom and mobile subscriber data in India and South Korea.

Summary This incident highlights ongoing cybersecurity challenges and the importance of robust data protection measures for large online platforms. Coupang’s swift response and transparency are notable, but regulatory scrutiny is expected to intensify.