Online retailer Coupang is known as South Korea’s Amazon and built its reputation on its overnight “rocket delivery” service, but it has been a lot slower to respond to a hack that leaked the personal information of nearly two-thirds of the country’s population.
Investigators said the breach began through Coupang’s overseas servers in June, but the company only became aware of it in November. The chief executive of Coupang’s South Korean subsidiary resigned this week, but Bom Kim, its Korean-American founder and chair, has yet to offer any personal apology.
Coupang said the hack compromised personal information including names and phone numbers, as well as email and shipping addresses, of more than 33mn accounts. Police said it was South Korea’s worst-ever data breach.
President Lee Jae Myung called the case a wake-up call for stronger cyber security, saying it was “astonishing” that Coupang, South Korea’s largest online retailer by market share, did not detect the breach for five months.
“The wrong practice of not giving necessary care for protecting personal data, which is a key asset in the age of artificial intelligence and digitisation, must be completely changed,” Lee said last week.
Coupang, which boasts 25mn active users and offers services ranging from food delivery to streaming, said it had yet to establish full details of the cause and scope of the hack.
But former chief executive Park Dae-jun told a parliamentary hearing a week before his resignation that a former software developer was behind the attack.
Park said the alleged perpetrator was a Chinese national involved in authentication tasks at Coupang before his contract ended last December and he was believed to have returned to China.
Coupang’s chief information security officer, Brett Matthes, testified that the alleged perpetrator had a “privileged role” in the company that would have given him access to a private encryption key, which allowed him to generate a forged token to impersonate a customer.
Choi Min-hee, a member of South Korea’s National Assembly, said in a statement that the former employee used the key, which was still active even after he left the company, to access customer information, citing information she had received from Coupang.
Coupang has said its users’ login credentials, credit card numbers and payment details were not affected by the hack, but officials and legislators have warned that citizens could be vulnerable to targeted phishing attacks using the leaked information. “It is like the keys of almost everyone’s homes in Korea are stolen,” said National Assembly member Choi Hyung-du.
The company said in a statement to the Financial Times that after learning of the breach on November 18 it immediately reported it to authorities, blocked the unauthorised access route and strengthened internal monitoring. It said it would “significantly enhance our information security to prevent recurrences and will do everything we can do to recover trust”.
But legislators have lambasted Coupang for what they say is a lack of caution and a slow response. They are demanding that founder and chair Kim come forward and apologise himself. He has been summoned to a second parliamentary hearing next week.
Lee Hoon-ki, a lawmaker at last week’s hearing, suggested Coupang had been “negligent” about security issues as it rapidly expanded. Founded in 2010 as a website offering deals to group buyers, the company has seen its revenues soar more than 30-fold in the past decade to $30.2bn last year. It received a $3bn investment from SoftBank in 2015 and listed in New York in 2021 after the Covid-19 pandemic fuelled growth further.
Cyber security experts said Coupang was far from alone, with several high-profile cases contributing to what they expected to be South Korea’s worst year for large-scale data breaches.
SK Telecom, the country’s largest mobile carrier, was fined $97mn this year over the leak of information on 25mn customers. Telecoms rival KT and credit card provider Lotte Card also reported data breaches.
Upbit, the country’s dominant cryptocurrency exchange, suffered a hack last month that led to the unauthorised withdrawal of Won44.5bn ($30mn) in cryptocurrency.
Lee Chan-jin, governor of the Financial Supervisory Service, said South Korean companies’ investment in cyber security remained “awfully inadequate” compared with countries such as the US.
Simon Choi, chief technology officer of cyber security start-up StealthMole, said businesses should see paying for data protection as insurance.
“If you talk to bosses of big companies, they often say there are too many offline issues to take care of, so cyber security often takes a back seat,” he said. “They scramble to invest more belatedly when major incidents happen, but prevention is more important.”
Kang Hoon-sik, the president’s chief of staff, said in a meeting with senior administration officials that the major data leaks in recent years showed “structural loopholes” in South Korea’s personal information protection and the Coupang case was an opportunity to improve the country’s punitive damages system.
Lawmakers have called for Coupang, which reported Won41tn in sales last year, to pay Won1.2tn in penalties under a law that allows companies that fail to implement adequate data protection measures to be fined up to 3 per cent of their revenue.
The country’s Personal Information Protection Act also allows punitive damages of up to five times actual harm if personal data is leaked due to wilful misconduct or gross negligence.
But the clause, introduced in 2015 after leaks involving credit card companies, and the 3 per cent rule have rarely been enforced.
“US companies have to pay huge damages if they lose class action lawsuits over data breaches,” said Wi Jong-hyun, business professor at Chung-Ang University in Seoul. “But Korean companies are not afraid of this because penalties are weak and there are few cases of collective legal action.”
Market tracker IGAWorks said the data leak had caused Coupang’s daily active users to fall by about 2mn to 16mn. JPMorgan analysts said in a note that customer departures were likely to be “limited”, citing the company’s “unrivalled market positioning and Korean customers being seemingly less sensitive to data breach issues” than consumers elsewhere.
Coupang controlled 22.7 per cent of the local e-commerce market last year, followed by Naver with 20.7 per cent, according to the Ministry of Data and Statistics.
But Chung Da-hye, a 45-year-old office worker in Seoul, said she recently quit Coupang’s paid membership to express her anger over the incident.
“I love Coupang’s dawn delivery of fresh produce, but it is so disappointing to see the company’s response to the data breach,” she said. “They are making all their money here in Korea, but Bom Kim doesn’t show up to apologise. No one is taking responsibility.”
