Coupang Data Breach: Over 33 Million Personal Records Exposed – What You Need to Know!
Daniel Kim Views
[Herald Economy = Reporter Park Hye-rim] “They must have had good intentions…”
A government investigation has revealed that Coupang’s personal information leak affects 33.67 million names and email addresses. However, the actual number of victims could be significantly higher when considering over 140 million delivery address inquiry records. The scope of the breach extends to delivery information of gift recipients, potentially causing the final damage tally to snowball dramatically.
On October 10th, the Ministry of Science and ICT reported that their investigation into the network breach by a former Coupang employee found 33,673,817 names and email addresses were compromised through the “My Information Edit Page.”
Excluding duplicates, it’s fair to say that nearly 33.67 million Coupang users have had their information exposed.
The concern is that the scale of the breach could be even more extensive. Choi Woo-hyuk, Director of Information Security Network Policy at the Ministry, stated, “The mere act of ‘viewing’ constitutes a ‘leak’ beyond Coupang’s control, as customer data is transmitted to the system the moment that page is accessed.”
The Ministry confirmed that the attacker accessed the “Delivery Address List Page” over 148 million times. This page contains not only subscribers’ details but also names, phone numbers, and addresses of their family members and acquaintances. Each page can list up to 20 delivery addresses, suggesting that the potential victims per page could reach 20, affecting both members and non-members alike.
Lee Dong-geun, Director of the Korea Internet & Security Agency (KISA), explained, “The attacker initially gathered names and emails through the My Information Edit Page, then directly accessed the Delivery Address List Page to randomly query personal information. The 148 million records include the 33.67 million members, as well as non-members and members whose information wasn’t leaked from the My Information Edit Page.”
The investigation also uncovered over 50,000 queries of delivery address lists containing shared entrance passwords and about 100,000 queries of order lists with recently purchased items. Even after accounting for duplicate accesses, it’s highly likely that at least 33.67 million individuals’ personal information has been compromised.
Of particular concern are the shared entrance passwords, which Coupang had previously denied were at risk. Following recommendations from the Personal Information Protection Commission, Coupang recently assured affected customers that payment and login details, shared entrance passwords, emails, and order histories were not compromised. This claim now directly contradicts the government’s findings, leaving Coupang open to criticism for potentially downplaying the breach’s severity.
The investigation revealed that the attacker, a former Coupang developer, used a “signature key” stolen during his employment to forge an electronic access badge, enabling unauthorized access to the internal network. Coupang had stored this key on a developer’s laptop instead of in a secure system and failed to update it after the employee’s departure, highlighting serious security lapses. Choi Woo-hyuk emphasized, “This breach clearly stems from management failures rather than sophisticated hacking techniques.”
The Personal Information Protection Commission will determine the final extent of the personal information leak based on this technical investigation’s results.
Most Commented