Recently, a large-scale personal information breach occurred at Coupang, South Korea's largest e-commerce platform, causing concern among many users. Although the first abnormal access was detected on November 6, 2025, Coupang only recognized it on November 18, 12 days later, and then reported it to the relevant authorities. Initially, it was reported that the account information of about 4,500 people was leaked, but subsequent investigations confirmed that the information of approximately 33.7 million customer accounts was exposed without authorization. The leaked information includes customers' names, email addresses, shipping address books (name, phone number, address), and the last five order details. Fortunately, sensitive financial information such as payment information, credit card numbers, and login passwords was not leaked.
The main cause of the Coupang data breach is being pointed to the abuse of 'Signed Access Tokens.' Coupang stated that there were no signs of external system intrusion or internal network hacking, and it is estimated that a third party stole and abused tokens used to access customer account profile information without valid authentication procedures. This access is likely to have been achieved through specific vulnerabilities in the system, and the failure of security management is cited as a significant cause. In particular, the fact that it took 12 days after the incident to recognize it and that the situation was only understood after receiving customer complaints has been criticized for missing the 'golden time' of initial response. This shows that the company's information protection system had limitations in immediately detecting and blocking abnormal access.
Robust technical safety measures are essential to prevent the recurrence of personal information leaks. First, strengthen access control. Access rights to all systems must be minimized, and systems must be built to detect and block unauthorized access attempts in real time. Authentication methods such as 'signed access tokens', as in the Coupang case, must be protected with stronger security mechanisms. Second, personal information encryption is essential. All sensitive personal information stored in databases must be protected using strong encryption algorithms, and encryption must also be applied in the transmission section. Third, it is important to operate an intrusion detection and prevention system (IDS/IPS) and regularly check for security vulnerabilities to identify and eliminate potential threats in advance. In addition, the introduction of multi-factor authentication (MFA) can minimize the risk of account theft.
As important as technical measures are management and policy measures. First, establishment of internal security policies and education. Regular personal information protection and information security education should be provided to employees to raise security awareness, minimize the number of personal information handlers, and strictly manage access rights. Second, the data minimization principle must be adhered to. A policy must be established to collect only the minimum personal information essential for providing the service and to immediately dispose of unnecessary information. Third, a rapid incident response system must be prepared. In the event of a personal information leak, a clear process must be established to prevent the spread of damage immediately upon recognition, report it to the relevant authorities, and notify the information subject without delay. Coupang's delayed recognition and reporting controversy once again reminds us of the importance of this response system.
The government and the Personal Information Protection Commission are strengthening corporate responsibility for repeated personal information leaks. Under the Personal Information Protection Act, companies are obligated to thoroughly implement measures to ensure the safety of personal information, and violations result in fines and surcharges. In particular, the government has recently expanded its investigative powers to conduct on-site investigations without a company's report when evidence of hacking is secured, and is increasing fines and surcharges for concealing hacking facts, delayed reporting, and failure to implement recurrence prevention measures, and is even pushing for the introduction of a punitive surcharge system. This is intended to encourage companies to expand investment in personal information protection, secure dedicated personnel, and make proactive security enhancement efforts. Consumers also need to monitor companies' efforts to protect their personal information and take an active approach in the event of damage.
The Coupang personal information leak incident has once again reminded us how important personal information protection is in the digital age. Companies must continue to make multifaceted security enhancement efforts from technical, managerial, and policy aspects, and the government must create a safe personal information protection environment through strong regulations and support. Only when users also make efforts to protect their own information will it be possible to build a safe and reliable digital environment. We hope that this incident will serve as an opportunity for all stakeholders to raise their awareness of personal information protection and that cooperation and efforts to effectively respond to the ever-changing cyber threats will continue.
A1: Customers' names, email addresses, shipping address books (name, phone number, address), and the last five order details were leaked. Payment information and login passwords were not leaked.
A2: It is estimated that the unauthorized access was caused by the abuse of 'signed access tokens.' It appears that valid tokens were stolen and used through vulnerabilities within the system rather than external hacking.
A3: Coupang stated that there was no leakage of payment information, so no separate measures are necessary, but users should pay special attention to phishing calls or texts, etc. It is also recommended to change your password if you are using the same password on other websites.
A4: The Personal Information Protection Commission is strengthening the reporting obligations of companies and is increasing penalties, such as fines and punitive surcharges, for delayed reporting or concealment. It is also encouraging companies to invest in information protection and secure dedicated personnel.
0