South Korean e-commerce retailer Coupang has apologised after a data breach exposed information from around 33.7 million accounts.
The leak included customers’ names, email addresses, phone numbers, and shipping addresses, Coupang said, though payment details and login credentials were not affected.
“We apologise for causing inconvenience and concern,” Coupang CEO Park Dae-jun wrote.
“We'll closely cooperate with relevant authorities to prevent further damage,” according to Park. “We are also reviewing what changes we can make to the data security system, so we can better protect customer information.”
Customers’ data was initially accessed on 24 June through servers outside South Korea, and continued for nearly five months. The company originally estimated that just 4,500 accounts had been impacted before revising its figure to 33.7 million on Saturday.
Coupang received an email warning that the data breach would be disclosed to the media if it did not bolster its security system, Yonhap News Agency reported. The email did not demand a monetary ransom.
Police have identified a former Coupang employee from China as a suspect, per Yonhap. The South Korean government has said it remains open to a range of possibilities.
South Korea’s government held an emergency ministerial meeting on Sunday, including officials like Deputy Prime Minister Bae Kyung-hoon and acting National Police Agency Commissioner Yoo Jae-sung.
The hack exploited a loophole in Coupang’s authentication process, according to Bae. The South Korean government said it has been investigating the issue since the data breach was reported on 19 November, and launched a further joint public-private investigation yesterday.
The country’s Personal Information Protection Commission is investigating whether Coupang neglected to add appropriate cybersecurity measures.
Coupang has 24.7 million active users, it said in November, and is South Korea’s largest online retailer.
The data breach follows a similar leak at South Korea’s SK Telecom this year, which exposed data from almost 27 million users. SK Telecom was fined KR₩134 billion (A$140 million) in August for violating cybersecurity obligations.
Related content
