About us
(Seoul=Yonhap Infomax) Su In Jeong = Coupang Inc., South Korea's leading e-commerce platform and the nation's third-largest investor in information technology and cybersecurity, has reported yet another personal data breach affecting approximately 4,500 customers.
According to disclosures from the Korea Internet & Security Agency (KISA) on the 24th, Coupang ranked third nationwide in both IT and cybersecurity investment. The company invested KRW 1.9171 trillion ($1.45 billion) in IT, of which KRW 89 billion ($67 million), or 4.6%, was allocated to cybersecurity.
In both categories, Coupang trails only Samsung Electronics Co., Ltd. and KT Corp. By industry, Coupang leads the retail sector in IT and cybersecurity investment. The company also ranks sixth and seventh, respectively, in terms of workforce dedicated to these areas.
Coupang's cybersecurity investment has steadily increased since 2022, rising from KRW 53.5 billion ($40 million) in 2022, to KRW 63.9 billion ($48 million) in 2023, KRW 66 billion ($50 million) last year, and KRW 89 billion ($67 million) this year.
However, the proportion of cybersecurity spending relative to total IT investment has declined annually, from 7.1% in 2022, to 6.9% in 2023, 5.6% last year, and 4.6% this year.
Despite increased IT investment, Coupang notified authorities on the 20th of a personal data breach affecting around 4,500 customers. The company initially stated it became aware of the incident on the 18th, but later clarified that a customer complaint regarding data exposure was received at around 22:00 on the 16th. Coupang's incident report estimates the actual breach occurred on the 6th, 12 days before the official report. Under South Korea's Information and Communications Network Act, companies must report breaches within 24 hours of discovery.
This is not Coupang's first security incident. In 2021, a data leak involving Coupang Eats delivery workers occurred, followed by a 2023 breach of seller system order information. The company was fined a total of KRW 1.6 billion ($1.2 million) for both incidents. The Personal Information Protection Commission found Coupang violated mandatory safety measures, including access controls, in both cases.
Other major firms have also suffered data breaches this year, despite significant security investments. Incidents have affected telecom giants SK Telecom Co., Ltd. [017670] and KT Corp. [030200], as well as Lotte Card and CJ Olive Young. Notably, SK Telecom, the nation's fourth-largest cybersecurity investor, faced public backlash in April after it was revealed that customer data was not encrypted during a 'USIM hacking' incident.
Industry experts note that as investment and security technologies advance, so do the sophistication of attacks, with artificial intelligence increasingly used to exploit vulnerabilities. Basic management lapses, such as SK Telecom's failure to encrypt data, can still be found.
The full details of the Coupang breach are expected to emerge following an investigation, which could take at least three months to over a year. Observers caution that the root cause may not directly correlate with investment levels, and a range of factors should be considered.
A Coupang spokesperson stated, "We have confirmed there was no unauthorized access to payment information or external intrusion into Coupang's systems and internal networks. Upon detecting the activity, we immediately took necessary response measures and have since strengthened ongoing monitoring."
sijung@yna.co.kr
(End)
Copyright © Yonhap Infomax Unauthorized reproduction and redistribution prohibited.