Online retail giant Coupang hit by massive data leak

South Korea’s largest online retailer, Coupang, has apologised for a massive data breach potentially involving nearly 34 million local customer accounts.

The country’s internet authority said that it is investigating the breach and that details from the millions of accounts have likely been exposed.

The e-commerce platform is often described as South Korea’s equivalent of Amazon.com. The breach marks the latest in a series of data leaks at major firms in the country, including its telecommunications giant, SK Telecom.

Coupang told the BBC it became aware of the unauthorised access of personal data of about 4,500 customer accounts on 18 November and immediately reported it to the authorities.

But later checks found that some 33.7 million customer accounts – all in South Korea – were likely exposed, said Coupang, adding that the breach is believed to have begun as early as June through a server based overseas.

The exposed data is limited to name, email address, phone number, shipping address and some order histories, Coupang said.

No credit card information or login credentials were leaked. Those details remain securely protected and no action is required from Coupang users at this point, the firm added.

The number of accounts affected by the incident represents more than half of South Korea’s roughly-52 million population.

Coupang, which is founded in South Korea and headquartered in the US, said recently that it had nearly 25 million active users.

Coupang apologised to its customers and warned them to stay alert to scams impersonating the company.

The firm did not give details on who is behind the breach.

South Korean media outlets reported on Sunday that a former Coupang employee from China was suspected of being behind the breach.

The authorities are assessing the scale of the breach as well as whether Coupang had broken any data protection safety rules, South Korea’s Ministry of Science and ICT said in a statement.

“As the breach involves the contact details and addresses of a large number of citizens, the Commission plans to conduct a swift investigation and impose strict sanctions if it finds a violation of the duty to implement safety measures under the Protection Act.”

Coupang has faced multiple cyber-security breaches in recent years, including one incident that exposed 460,000 customers’ data.

Major South Korean organisations have delivered harsh criticism over the latest breach.

The editorial board of local newspaper Chosun Ilbo described the incident as “preposterous” and called for strong sanctions on firms responsible for leaks of its customer data.

Another local media outlet, the Dong-A Ilbo, said the breach is “the worst personal data leak” in Korean history.

The media outlet questioned how long the incident went unnoticed, adding that it “means their internal data protection system barely mattered.”

The breach marks the latest in a series of cyber-security incidents affecting major South Korean companies this year, despite the country’s reputation for stringent data privacy rules.

SK Telecom, South Korea’s largest mobile operator, was fined nearly $100m (£76m) over a data breach involving more than 20 million subscribers.

In September, Lotte Card also said the data of nearly three million customers was leaked after a cyber-attack on the credit card firm.

Additional reporting by Jake Kwon in Seoul