Data breach hits 'South Korea's Amazon,' potentially affecting 65% of country’s population

South Korea’s largest online retailer, Coupang — often described as the country’s version of Amazon — apologized on Sunday after confirming that the personal details of 33.7 million customer accounts had been compromised.

It is the latest high-profile data breach to have affected South Korean companies, with 27 million customers of SK Telecom and 3 million customers of Lotte Card informed of incidents earlier this year.

In response to the Coupang breach, the South Korean government held an emergency meeting on Sunday of senior officials including the deputy prime minister, Yun-cheol, the minister of science and ICT, Bae Kyung-hoon, and the acting commissioner general of the Korean National Police Agency, Yoo Jae-seong.

“As the breach involves the contact details and addresses of a large number of citizens, the Commission plans to conduct a swift investigation and impose strict sanctions if it finds a violation of the duty to implement safety measures under the Protection Act,” the Ministry of Science and ICT stated.

Coupang said in November it had become aware of unauthorized access to approximately 4,500 customer accounts. This was revised dramatically upward following an internal investigation. The total figure is equivalent to around 65% of South Korea’s population of 51.7 million, although practically the proportion of the population impacted is likely to be lower.

Names, email and postal addresses, phone numbers and order histories are believed to have been compromised. Coupang said payment information and login credentials were unaffected.

Coupang — which has recorded annual revenues in the tens of billions of dollars in recent years — offers a Rocket Delivery service for same-day and dawn deliveries, making it a ubiquitous shopping destination for many Koreans.

The company said it “immediately reported [the data breach] to the relevant authorities, including the National Police Agency, the Personal Information Protection Commission, and the Korea Internet & Security Agency.”

An insider threat?

South Korean news reports have suggested that no malicious code has been found on Coupang’s internal systems. Reported suspicions for the breach are centering on a former employee.

The Yonhap news agency reported that police believe they have identified the perpetrator. It described them as a Chinese former employee who has since left the country, although this has not been confirmed by police.

“We are analyzing server logs submitted by Coupang. We have secured the IP used by the suspect in the crime, and are tracking them down,” the Seoul Metropolitan Police official told reporters.

Yonhap reported police are also attempting to confirm whether the suspect was the same individual who had previously sent an email to Coupang threatening to disclose the breach. The email did not request money from the company, according to police.

SK Telecom, the country’s largest mobile operator, was fined a record 134 billion won ($91 million) over its breach. The company had said it failed to detect nearly 25 types of malware in its systems for almost three years. 

In the wake of the recent data breaches, an official from South Korea’s presidential office said the country’s system for punishing companies that fail to protect customer data is ineffective.

“The punitive damages system is virtually not functioning, and as a result, there are limits to preventing large-scale data leaks,” stated the residential chief of staff Kang Hoon-sik, as reported by Yonhap.

The recent incidents are highlighting “structural weaknesses” in South Korea’s legal regime for protecting personal data, added Kang, stating the Ministry of Science and ICT and the Personal Information Protection Commission had been instructed to deliver a report on how to improve the situation.