Amid the personal data leak at Coupang, which became the first standalone domestic retailer to surpass 40 trillion won in annual sales, critics say the company focused only on expanding its business and failed at internal controls. The scale of the consumer information leak is one of the largest on record.
According to related industries on the 1st, information from 33.7 million consumer accounts at Coupang was leaked. That exceeds the 24.7 million consumers with purchase history (active customers in the product commerce segment) cited when Coupang announced third-quarter results. Effectively, it can be seen as a leak of information on nearly all consumers who used Coupang. The scale surpasses SK Telecom, which received the largest-ever penalty surcharge (134.8 billion won) from the Personal Information Protection Commission. SK Telecom saw personal information from 23.24 million subscribers leaked this year.
◇ Retail behemoth Coupang armed with tech sees personal data leaks recur
The problem is that Coupang did not realize this for five months. The personal data leak was confirmed to have occurred on June 24. From that day until Nov. 18, when the incident was identified, the company failed to recognize that information had been leaked for about five months.
This runs counter to Coupang's long-touted slogan of being a "technology company" pursuing an overwhelming lead. Founder and chair Bom Kim has stressed, "Coupang is a tech company." Yet a major hole opened up in data security, one of the basics for any tech company.
A retail industry source said, "Coupang should reconsider whether its self-promotion as a company armed with innovative technologies such as artificial intelligence (AI) logistics dispatch and Machine Learning-based demand forecasting was merely for show."
There were several signs that in-house security policies needed to be tested. From Aug. 2020 to Nov. 2021, personal information of 135,000 Coupang Eats delivery drivers leaked externally. In Dec. 2023, there was another personal data leak in Wing, the seller-only system. Orderers' and recipients' personal information was exposed to other sellers.
A cybersecurity industry source said, "Typically, when a problem occurs, companies redefine and tighten their enterprise-wide internal security systems, but given that the issues continued through this incident, it appears such efforts were insufficient."
◇ Insider act, not external hackers, raises questions about corporate culture
Some see it as a failure stemming from Coupang's organizational culture, given it was not the work of external actors. They say the culture is excessively competitive. While it could be dismissed as an individual's deviation, the point is that this incident should prompt a review of how internal management systems and culture created vulnerabilities.
The consumer data leak is being attributed not to external hackers but to a former Coupang employee. The employee had worked on authentication at Coupang and is understood to have used data access keys (tokens) obtained at that time to extract personal information.
In the retail industry, there are suggestions that Coupang's hard-driving, performance-centric culture may have created blind spots in internal controls. In an environment that prioritizes rapid execution and results, security checks and access control procedures were pushed down the list. That is why basic security governance—such as revoking access for departing employees, monitoring logs of access to sensitive data, and strengthening management of tokens and API keys—failed to take root at Coupang.
A cybersecurity industry source said, "Security is not a field where you can prove performance with numbers, because its role is to prevent incidents before they happen," adding, "Shopping algorithm development and the ads field are different. If you are a worker, which field would you prefer?"
There is also criticism that the definition of what kind of company Coupang is for workers needs to be reset. A former Coupang executive said, "As the company emphasized numerically provable performance, a culture developed in which the system squeezes individuals. At the same time, loyalty to the workplace and a sense of community were regarded as old-fashioned."
The person continued, "When Coupang workers think about Coupang, many see it as a workplace where they can quickly raise their market value," adding, "As a result, the overall organizational culture and internal control systems could be criticized as being fundamentally shaken."