—
### Investigators Uncover Months of Unchecked Database Scraping Activity as South Korea Fines Coupang $409 Million
In a significant move, South Korean regulators have imposed a record fine of 624.7 billion won, equivalent to approximately $409 million, on Coupang, the nation’s leading e-commerce giant. The fine arises from a series of serious privacy and security violations linked to a massive data breach that exposed the personal information of 33.7 million individuals.
The investigation, conducted by the Personal Information Protection Commission (PIPC), revealed that Coupang’s data breach was predominantly self-inflicted. The company failed to adhere to fundamental safeguards in authentication key management and access controls. This negligence allowed a former employee, who had worked as a software developer on Coupang’s authentication systems, to exploit his insider knowledge and access sensitive data. Investigators noted that the breach involved hundreds of millions of scraping incidents over a 10-month period in 2025, highlighting the company’s failure to prevent unauthorized access.
The former employee, who remains unnamed, retained an internal signing key after leaving the company, which he subsequently used to gather extensive details of customer profiles. This included member IDs, names, phone numbers, email addresses, physical addresses, apartment entry codes, and order histories. The repercussions of this breach extended beyond the company, as the perpetrator allegedly sent extortion emails not only to Coupang but also to affected customers.
Regulatory authorities noted a dramatic increase in traffic directed at Coupang’s database, with many access attempts originating from fake member IDs. Alarmingly, Coupang failed to monitor these unusual activities, only acknowledging the breach after a customer flagged the ransom emails they received. This oversight reflects a significant failure in the company’s security operations, as it did not possess adequate mechanisms to detect anomalies in user access patterns.
Furthermore, the breach affected not only Coupang account holders but also impacted 4.3 million non-members. These individuals had their personal information, including names, phone numbers, and addresses, compromised because they were listed as delivery recipients by customers. Compounding the problem, when regulators ordered Coupang to preserve evidence following its initial report of the breach, the company resorted to deleting approximately six months’ worth of access logs just days later. This action directly contravened the order, further complicating the investigation and potentially leaving unidentified individuals vulnerable to exploitation. Roughly 13% of the logs from the attack period were erased, indicating that additional victims may never be identified due to the company’s actions.
Coupang’s marketing practices also came under scrutiny, revealing they had collected browsing data from 11 million users without proper authorization. This data collection was extensive, encompassing URLs visited, application names, timestamps, IP addresses, and device identifiers. Some users had been redirected to Coupang via “hijack ads,” where deceptive overlays triggered redirects without any user intent, raising additional ethical and legal questions about the company’s marketing strategies.
In response to these allegations, Coupang contended that the data collected did not constitute personal information and proceeded to delete the contested records only after facing inquiries from regulators. Beyond these concerns, the company’s logistics subsidiary has been accused of improperly disclosing employees’ weight data during industrial accident litigation and maintaining a list that contained personal information about 71 journalists accused of spreading “false information.”
After receiving written accusations from the PIPC, Coupang offered an apology to its customers and the public, acknowledging the concern it had caused. However, the company asserted that it has numerous disagreements with regulatory findings and has expressed its intention to contest the penalty through legal channels.
This incident serves as a stark reminder of the pressing need for stringent data protection measures in the era of digital commerce. As regulations tighten globally, organizations must be vigilant in safeguarding customer information to avoid serious penalties and to maintain consumer trust. The case highlights the critical importance of not only implementing adequate security measures but also ensuring compliance with oversight mandates, as failure to do so can have dire financial and reputational consequences.
—