The probe, led by the Ministry of Science and ICT along with private agencies, found that about 33.67 million users' names, phone numbers, e-mail addresses and other details were exposed. Since users could save other people's information such as family members' details on their accounts for orders, the ministry said the number of people affected could exceed the number of accounts.
The probe also found that customers' personal information and their delivery addresses were accessed about 148 million times, while their ordering details were viewed more than 100,000 times.
The ministry described the incident as a large-scale breach involving long-term access to sensitive personal information. It said its former employee, suspected of being behind the breach, used 2,313 IP addresses over roughly seven months to access Coupang's servers.
The suspect appeared to bypass normal login procedures by abusing Coupang's vulnerable user authentication system to repeatedly access accounts and collect personal data using automated web tools. The breach occurred from April to November last year, with evidence of initial testing in January.
The ministry blamed Coupang's poor management of employee log-in procedures for the massive leak, saying the suspect was able to continue accessing its servers even after quitting the company. It also criticized Coupang's delayed response, saying the company failed to report the incident within 24 hours of detecting it, which constitutes a legal violation.
The ministry said it will require Coupang to submit a plan for preventive measures by the end of this month and will monitor compliance from March to May, with follow-up inspections planned for June and July.
Tuesday's revelations come after Coupang initially said in November last year that the incident affected about 3,000 users, before admitting last week it had discovered an additional data leak affecting over 165,000 customers, far fewer than the findings of the latest probe.
Copyright ⓒ Aju Press All rights reserved.
