Coupang Data Breach: What 150 Million Page Views Really Mean for Your Privacy

Coupang has stated its position regarding the recent data breach incident involving a former employee, following the release of a joint public-private investigation report. The company emphasized that the number of page views reported in the investigation should not be equated with the actual scale of the information leak. After the investigation revealed that page views containing sensitive information such as delivery addresses reached 150 million, Coupang stressed the importance of distinguishing between access attempts and confirmed data breaches.

On February 10, Coupang addressed the investigation findings, stating that the 150 million page views do not accurately reflect the extent of the data leak.

Earlier that day, the Ministry of Science and ICT announced at the Government Seoul Complex that the investigation found the scale of personal information leaked by the former Coupang employee exceeded 33 million records, with page views for delivery addresses and other information reaching approximately 150 million.

A Coupang spokesperson explained that the attacker’s page views were the result of attempts to collect individual personal data from over 33.7 million accounts.

The spokesperson clarified that while there were about 148 million attempts to access information such as names and phone numbers from the compromised accounts, the actual scale of the data breach remains at the initially reported figure of 33.7 million.

Regarding concerns about data transfer to overseas cloud services, the Coupang representative stated, “We have found no evidence of actual data transmission occurring. The investigation team also could not confirm any data transfer.”

The spokesperson added that they are currently identifying invalid accounts that cannot be traced back to specific individuals, and noted that the Personal Information Protection Commission will ultimately determine the exact scale of the leak.

The Coupang representative asserted, “We detected the data breach incident in November last year and immediately reported it to the relevant authorities. We have fully cooperated with all government investigations and have been transparent in disclosing all information.”

The investigation confirmed that there were no secondary damages, such as financial or property losses, resulting from the personal information leaked by the former employee. It was also found that payment information was not included in the compromised data. During the briefing, Choi Woo-hyuk stated, “No secondary damages have been identified so far, and there is no evidence of leaked payment information.”