Coupang, South Korea’s leading e-commerce platform, has revealed a massive data breach affecting 33.7 million customer accounts, equivalent to nearly two-thirds of the Korean population. This incident has become the largest e-commerce security event in the country’s history and could result in fines of up to $900 million (approximately 1.2 trillion KRW).
The incident exposes vulnerabilities in data protection systems, especially in e-commerce platforms that handle sensitive information such as transaction histories, delivery addresses and payment methods.
Unauthorized access not detected for five months
Coupang confirmed the unauthorized exposure of usernames, phone numbers, email addresses, delivery address books and purchase details. Although the company detected unusual access on November 6, it did not fully identify the breach until November 18, more than 12 days later.
Investigations revealed that the attackers accessed customer data through overseas servers for almost five months, from June 24 to November 8.
A former Coupang worker has been identified as the main suspect. This person had access to the authentication services and retained the access keys after his resignation, which facilitated the breach.
Data not legally required to be encrypted
The leaked information was not subject to mandatory encryption under Korean law. South Korea’s Personal Information Protection Law only requires encryption of payment data (such as credit card numbers) and unique identifiers (such as resident registration numbers).
Although names, addresses, phone numbers, emails, and purchase history are not critical payment data, combining them can create significant security risks. Analysis of purchase history reveals lifestyle patterns and family structures that, when linked to personal contact details, can lead to spear-phishing attacks or even physical threats.
Additionally, cross-referencing this information with previously leaked payment data can enable re-identification attacks to precisely locate individuals.
Legal and reputational consequences
The Coupang breach surpasses SK Telecom’s previous data leak (27 million users), which resulted in a fine of 134.8 billion KRW. Under amended data protection laws in South Korea, fines can be up to 3% of annual revenue, which in Coupang’s case could range from 150 billion KRW to a maximum of 1.2 trillion KRW.
Just two days after the breach became public, class action movements began to form, with more than 200,000 people joining related online forums. The company could also face additional penalties for slow detection of the incident.
The importance of encryption beyond legal compliance
This incident underscores the importance of data encryption, even when it is not required by law. Encrypted data remains useless without decryption keys, unlike unencrypted data which becomes immediately exploitable.
To mitigate the risks of future data breaches, organizations must implement robust, proven encryption solutions, even for data that is not legally protected.
Penta Security, a leading data security company, offers D.AMO, a data encryption platform that provides centralized control and a standalone key management system (KMS). D.AMO enables column-level encryption, minimizing performance impact, and supports multiple deployment methods without requiring application modifications.
Conclusions
The Coupang breach demonstrates that information not covered by legal encryption requirements can still pose significant risks when combined. Companies should consider protecting customer data beyond legal minimums by adopting proactive encryption solutions. Preventing a data breach is critical to maintaining customer trust, avoiding massive fines, and ensuring business continuity.
References
- [Penta Security - D.AMO Datasheet] (https://www.pentasecurity.com/d-amo-datasheet/)