Coupang faced a data breach impacting 37.55 million consumers in November, leading to a penalty exceeding 600 billion South Korean won. On the 11th, the Personal Information Protection Commission (PIPC) stated that it had determined a fine of 624.681 billion won against Coupang during a session held on the 10th, due to violations of the Personal Information Protection Act. This amount exceeds the prior highest penalty of 134.791 billion won given to SK Telecom in August of the previous year. Additionally, the commission opted to charge an extra fine of 16.8 million won.
The committee said, "The inquiry verified that this event happened because of Coupang's failure in handling personal data security," and mentioned, "Additional instructions were provided to enhance protective protocols to avoid such occurrences."
In November of last year, the PIPC initiated an inquiry following a complaint from Coupang, establishing a collaborative task force alongside the Korea Internet & Security Agency.
A former employee at Coupang, who departed in late 2024, was discovered to have carried out a data leakage experiment in January of the previous year, methodically extracting personal details between April and November of that same year by gaining access to member profile editing sections, delivery address controls, and purchase history records.
A cybercriminal created fake authorization tokens to gain entry into the delivery address administration section roughly 148 million times starting from April 14 of the previous year, resulting in the exposure of names, phone numbers, and residential addresses. On June 24 of the same year, they entered the user profile editing area 34.966812 million times, causing leakage of names and electronic mail identifiers. Starting from September 26 of the prior year, they logged into the delivery address update segment 50,474 instances and reviewed the purchase record interface 85,213 times, also leading to disclosure of common access codes and transaction specifics.
Using these techniques, the hacker exposed personal details of 33.22472 million members and at least 4.338368 million individuals who were not members. This involved 33.057012 million names along with email addresses, 63.986351 million shipping address entries (including names, addresses, and common access codes) for a minimum of 22.375359 million members and 4.338368 million non-members, as well as purchase records from 58,349 members.
The committee verified that the event occurred due to Coupang's insufficient security management framework and carelessness. It stated, "Coupang was unable to effectively control access rights for authentication signature keys, and even though there were unusual surges in access during the attack timeframe, it didn’t identify these anomalies."
Coupang learned about the further exposure of 160,000 customers' private details from the delivery address section approximately on January 30 this year, yet reported it to officials just on February 5, which was six days after discovery. Moreover, despite being asked four times by the committee to inform non-member individuals affected by the breach, Coupang failed to take action.
The committee mentioned, "Individuals who were not members could not implement protective actions against additional harm because they did not know about the leakage."
In addition, Coupang had internal policies requiring the destruction of user data 90 days after an account was removed and immediate removal of addresses along with account numbers. However, it did not erase 2,465,592 delivery address details (including names, phone numbers, and addresses) belonging to deactivated accounts, resulting in these being exposed. Moreover, it was discovered that 318,499 account numbers from terminated users were not promptly erased.
Not long after the committee started its inquiry, it instructed Coupang to retain evidence like website access records connected to the event. Nevertheless, Coupang manually erased five months' worth of online activity logs spanning from July through November 2024, making it harder to establish the precise sequence of events surrounding the first data breach. Still, the committee mentioned, "There was no proof discovered indicating that the exposed personal details were shared unlawfully."
Additionally, the committee expressed disapproval towards Coupang for collecting consumers' internet browsing data without permission.
The inquiry found that Coupang gathered and kept track of online behavior data from 11.17613 million consumers between December 23, 2024, and February 4 of this year, encompassing 15.645338 million website and application accesses, which were utilized for personalized ads.
As a result, the committee chose to charge a penalty amounting to 423.575 billion won and a fine of 16.8 million won concerning the data breach, along with an extra penalty of 201.16 billion won related to the illicit gathering of internet usage information.
Penalties were assessed according to Coupang's online shopping service income. According to the Personal Information Protection Act, fines may be as high as 3% of revenue. The committee said, "The ultimate fine was decided taking into account the seriousness of the breach and the extent of the harm caused."
The committee independently chose to charge a fine of 248 million won against Coupang Fulfillment Services, which is part of Coupang.
The inquiry revealed that Coupang Fulfillment Services gathered and handled the names of 71 media representatives from the National Police Agency, despite these individuals never having worked at their distribution facilities, and added them to a confidential employee list. The committee considered this action a breach of guidelines for collecting and utilizing personal data. Furthermore, Coupang Fulfillment Services provided staff weight details to the court during a legal case involving an workplace injury, which the committee viewed as a violation of protocols concerning handling private information.
