South Korean leader calls for penalties over e-commerce data leak

SEOUL – South Korea’s President ordered on Dec 2 swift action to penalise those responsible for

a major data leak at e-commerce giant Coupang

.

The breach – resulting in personal data for some 33 million Coupang customers being leaked – was South Korea’s worst in more than a decade.

The company is now grappling with a police investigation, potential hefty fines, as well as a possible class action suit.

It was “astonishing that the company failed to recognise the breach for five months”, South Korean President Lee Jae Myung said, adding that the “scale of the damage is massive”.

Mr Lee said those responsible must be quickly identified and held accountable.

“The wrong practice and the idea of not giving necessary care for personal data protection, which is a key asset in the age of artificial intelligence and digitalisation, must be completely changed,” he said.

Under current South Korean law, companies that fail to implement adequate data protection measures can be fined up to 3 per cent of their revenue.

That could mean a fine of more than 1 trillion won (S$884 million) for Coupang, which reported 38.3 trillion won in revenue in 2024.

Coupang is South Korea’s most popular online shopping platform, serving millions of customers with lightning-fast deliveries of products, from groceries to gadgets.

Coupang’s chief information security officer Brett Matthes told a parliamentary hearing that the perpetrator obtained a private encryption key, which allowed the person to generate a forged token to impersonate a customer.

“We do believe that this person, if it is the person, had a privileged role within the organisation that would have given him access to the key that has been taken,” Mr Matthes said.

A former Coupang engineer who took part in developing the system’s authentication protocol is the suspected perpetrator, the company’s chief executive officer Park Dae-jun said, adding that other people may have been involved.

Mr Park did not name the person.

Coupang has apologised for the incident, but members of Parliament called for founder Bom Kim, a Korean American who established the company in 2010, to come forward and personally apologise.

Seoul has said the leak took place through overseas servers from June 24 to Nov 8.

But Coupang only became aware of it in November, according to the police and local media, who said the company had issued a complaint in November against the alleged culprit – a former employee and a Chinese national.

On Dec 2, Mr Lee ordered the government to “strengthen fines and make punitive damages a reality”, calling for “substantive and effective countermeasures”.

“The cause of the accident must be quickly identified and (those responsible) must be held strictly accountable,” he said.

The police said on Dec 1 that they were tracing computer IP addresses and looking into possible international collaboration as part of their investigation.

They warned the leak could “threaten the daily lives and safety of every single citizen”.

Coupang has told customers that their names, e-mail addresses, phone numbers, shipping addresses and some order histories had been exposed in the leak.

But the company said their payment details and login credentials had not been affected.

The case follows a major breach at South Korea’s largest mobile carrier SK Telecom, which was fined about 134 billion won (S$118 million) in August after a cyberattack exposed data on nearly 27 million users.

South Korea is among the world’s most wired countries, but has also been a target of hacking by arch-rival North Korea.

The police announced in 2024 that North Korean hackers were behind the theft of sensitive data from a South Korean court computer network – including individuals’ financial records – over a two-year period.

In November 2025, Yonhap News Agency reported that the South Korean authorities suspected a North Korean hacking group may be behind the recent cyberattack on cryptocurrency exchange Upbit, which led to the unauthorised withdrawal of 44.5 billion won in digital assets. AFP, REUTERS