South Korean police said on Monday they were tracing IP addresses and looking into possible tech vulnerabilities at Coupang after the e-commerce giant suffered the country’s worst data breach in over a decade.
Shares of the company fell 6.5% in morning trading.
The personal data of more than 33 million customers was leaked in a breach believed to have started on June 24 through overseas servers, though the company did not learn of the problem until November 18.
South Korea’s Science Minister Bae Kyung-hoon said on Sunday the perpetrator had “abused authentication vulnerabilities” in Coupang’s servers, and that authorities would be investigating whether the company violated rules regarding the protection of personal information.
Coupang, which is backed by Japan’s SoftBank Group, has said the breach exposed customers’ names, email addresses, phone numbers, shipping addresses and certain order histories, but not payment details or login credentials.
Broadcaster JTBC has reported that after conducting an internal investigation, Coupang suspects that a Chinese former employee, who was responsible for authentication tasks, was a key figure in the data breach.
A former employee used their authentication key that was still active after the termination of the person’s contract to get access to customer information, lawmaker Choi Min-hee said in a statement on Monday.
Police and Coupang declined to comment on possible suspects.
As of Monday afternoon, internet postings showed that more than 10,000 people planned to join a possible class action lawsuit against Coupang. Lawyer Ha Hee-bong said the potential class action could seek compensation of more than 100,000 won ($68) per person.
“We expect potential customer losses to be limited due to CPNG’s unrivaled market positioning and Korean customers being seemingly less sensitive to data breach issues,” J.P. Morgan analysts wrote in a note.
However, the potential of Coupang providing a voluntary compensation package, and the high likelihood of the Korea government imposing a potential penalty could result in a “sizable one-off loss,” which will likely weigh on near-term sentiment, the note added.
Coupang, founded by Korean-American Harvard graduate Bom Kim in 2010, is the country’s most popular e-commerce platform. It has overtaken family-owned conglomerates like Shinsegae in South Korean e-commerce and is also expanding into food delivery, streaming and fintech.
Kang Hoon-sik, South Korean presidential chief of staff, on Monday said four major data leak incidents since 2021 showed “structural loopholes” in personal information protection in South Korea.
In August, the country’s largest mobile carrier SK Telecom was fined about 134 billion won ($96.53 million) after a cyberattack this year caused the leak of data for nearly 27 million users.
Kang also said the latest incident involving Coupang should be an opportunity to improve the punitive damage system, which he said was not enforced in a way that would prevent massive data compromise.
($1 = 1,471.0800 won)
(Reporting by Hyunjoo Jin, Joyce Lee and Zaheer Kachwala; editing by Edwina Gibbs and Kate Mayberry)
Topics Law Enforcement
Was this article valuable?
Here are more articles you may enjoy.
SEC to Drop Controversial SolarWinds Cyberattack Lawsuit 
How E-Deliveries Are Fueling More Crashes, Traffic, Pollution and Worker Injuries 
Royal Bank of Canada Denies Claims of ‘Boys Club’ Culture, Bias Against Women 
Barge Looted in the Bahamas Returns to Florida but Insurance Claims Mounting 
