Coupang Suffers Massive Customer Data Breach; Police Say 'Investigation Ongoing, Cannot Disclose Details'

The police have launched an investigation into the large-scale customer data breach at Coupang. Authorities plan to summon Coupang officials soon to question them about the circumstances of the leak.
A representative from the Seoul Metropolitan Police Agency (SMPA) stated on the 20th, "We are currently investigating," but added, "We cannot provide specific details at this time."
Given the gravity of the incident, which has reportedly affected over 33.7 million customer accounts, the SMPA decided not to delegate the case to local police stations. Instead, the Cyber Crime Investigation Unit of the SMPA is handling the investigation directly.
It was reported that Coupang did not specify a defendant in the complaint filed with the police on the 25th, instead listing 'an unidentified person.' Investigators are questioning Coupang officials about where and how the data was stored, the methods by which it was leaked, and are analyzing logs and server records to identify the perpetrator.
According to industry sources, the leaked Coupang customer data was allegedly taken by a former employee of Chinese nationality. This individual has already left Coupang and is believed to have departed from Korea.
If the suspect is confirmed to be a national of the People's Republic of China (PRC), the police are considering requesting investigative cooperation from the PRC. Korea has already signed an Extradition Treaty and a Treaty on Mutual Legal Assistance in Criminal Matters with the PRC. Since hacking is classified as an 'electronic crime,' authorities may seek assistance under the Treaty on Mutual Legal Assistance in Criminal Matters for the provision of investigative materials, transfer of seized items, and searches or seizures.
Additionally, during the Asia-Pacific Economic Cooperation (APEC) summit, Korea and the PRC signed a Memorandum of Understanding on Countering Voice Phishing and Online Fraud Crimes (MOU) with the Ministry of Public Security (MPS) of the PRC. This agreement covers cooperation in areas such as the collection, exchange, and analysis of information and evidence; joint operations and investigations to track and apprehend criminals; support, protection, and repatriation of victims; and the tracking and freezing of criminal proceeds.
However, there are concerns that the investigation may be challenging, as these agreements are not legally binding, the PRC must first acknowledge the crime as committed by one of its nationals, and Korean authorities must present evidence. It is also necessary to determine whether hacking falls under the scope of voice phishing or online fraud crimes.
Alongside the police investigation, the Personal Information Protection Commission (PIPC) is also conducting a parallel inquiry. This raises the possibility that Coupang could face penalties for internal management failures, regardless of whether the perpetrator is identified. Some have raised suspicions of 'safety measure violations,' as the breach began in June but was not discovered until November.
The leaked Coupang data reportedly includes customer names, email addresses, phone numbers, physical addresses, and some order information.


425_sama@fnnews.com Choi Seung-han Reporter