Coupang, South Korea's leading e-commerce platform, recently disclosed a data breach affecting 33.7 million customer accounts which is equivalent to nearly two-thirds of the Korean population.

This represents the largest e-commerce security incident in South Korea's history and could result in fines of up to $900 million (approximately 1.2 trillion KRW).

This breach exposed vulnerabilities in data protection systems, particularly for e-commerce platforms that handle sensitive data including transaction histories, delivery addresses, and payment methods.

The scale of the incident has raised concerns among customers and industry observers.

Unauthorized Access Undetected for Five Months

On November 29, Coupang confirmed the unauthorized exposure of user names, phone numbers, email addresses, delivery address books, and purchase details.

While the company detected unusual access on November 6 at 6:38 PM KST, it did not fully identify the breach until November 18 at 10:52 PM which is more than 12 days later.

Investigations revealed that attackers had accessed customer data via overseas servers for nearly five months, from June 24 to November 8.

A former Coupang employee has been identified as a prime suspect. The individual had access to authentication services and retained access keys post-resignation, enabling the breach.

Data Not Legally Required to Be Encrypted

The leaked information was not subject to mandatory encryption under Korean law. Currently, the Personal Information Protection Act in South Korea requires encryption only for payment data such as credit card numbers and unique identifiers like resident registration numbers.

Although information such as names, addresses, phone numbers, email addresses, and purchase history may seem less critical, combining these data points can create security risks.

Analyzing purchase history reveals lifestyle patterns and family structures, which, when linked to personal contact details, could lead to spear-phishing attacks or even physical threats.

Moreover, cross-referencing this data with previously leaked payment information can enable re-identification attacks that precisely pinpoint individuals.

The Case for Enterprise-Grade Encryption Solutions

This incident highlights the importance of data encryption, even when it is not legally mandated. Unlike unencrypted data, which becomes immediately exploitable once leaked, encrypted data remains useless without the decryption keys.

However, in the absence of legal obligations, many companies do not prioritize voluntary encryption.

To reduce risks from data breaches, organizations must implement proven encryption solutions from trusted cybersecurity vendors. Since its establishment in 1997, Penta Security has built expertise in data protection becoming a global leader in data security.

In 2004, Penta Security launched D.AMO, a data encryption platform that provides encryption, centralized control, and an independent key management system (KMS).

Over the past 20 years, D.AMO has been deployed by over 10,000 enterprise customers, including major financial institutions, public sector entities, and large corporations, confirming its status as a leader in global cybersecurity.

D.AMO supports multiple encryption methods—API-based, plug-in, and kernel-level encryption—without requiring application modification. This flexibility enables faster deployment, reducing setup times from months to days. It also offers integrated security features such as access control, auditing, and monitoring.

Concerns about performance degradation due to encryption are natural, but modern technologies address these efficiently.

For example, D.AMO minimizes performance impact by offering column-level selective encryption based on data sensitivity and is compatible with every layer of an organization’s system environment.

Record Fines Expected Amid Public Outcry

The Coupang breach surpasses the previous SK Telecom USIM data leak involving 27 million users, which led to a fine of 134.8 billion KRW.

Under South Korea’s amended data protection laws, fines can reach up to 3% of annual revenue, which in Coupang’s case could range from 150 billion KRW to a maximum of 1.2 trillion KRW.

Just two days after the breach was made public, class action movements began to form, with over 200,000 people joining related online forums. The breach was not an external cyberattack but rather a case of insider abuse of legitimate credentials.

The company’s extended detection period may also be viewed as a violation of mandatory safety measures potentially resulting in additional penalties.

Proactive Security with Verified Solutions

The Coupang data breach demonstrates that information not covered by encryption requirements can still pose risks when combined. Companies should consider protecting customer data beyond legal minimums by adopting encryption solutions from established cybersecurity providers like Penta Security.

Beyond encryption tools, organizations need centralized management and effective key management systems.

With nearly 30 years of experience and continuous development, Penta Security provides cybersecurity solutions for various IT infrastructures—from on-premise systems to cloud, multi-cloud, and hybrid environments.

Moreover, Penta Security’s D.AMO can encrypt all data types (structured and unstructured) and is deployable across all layers of IT systems, including OS, databases, and applications.

As the Coupang case shows, organizations may benefit from applying encryption beyond legally mandated data to help prevent similar incidents.

Download D.AMO Data Sheet

Sponsored and written by Penta Security.