惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

人人都是产品经理
人人都是产品经理
MyScale Blog
MyScale Blog
Y
Y Combinator Blog
罗磊的独立博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
V
Vulnerabilities – Threatpost
T
The Blog of Author Tim Ferriss
云风的 BLOG
云风的 BLOG
Recorded Future
Recorded Future
N
News and Events Feed by Topic
B
Blog RSS Feed
阮一峰的网络日志
阮一峰的网络日志
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 【当耐特】
N
Netflix TechBlog - Medium
博客园 - 叶小钗
B
Blog
Vercel News
Vercel News
T
Tenable Blog
T
The Exploit Database - CXSecurity.com
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Last Week in AI
Last Week in AI
F
Fortinet All Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Microsoft Security Blog
Microsoft Security Blog
S
Securelist
Microsoft Azure Blog
Microsoft Azure Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
D
DataBreaches.Net
Cyberwarzone
Cyberwarzone
Engineering at Meta
Engineering at Meta
Martin Fowler
Martin Fowler
G
GRAHAM CLULEY
Project Zero
Project Zero
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
CERT Recently Published Vulnerability Notes
L
LangChain Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Check Point Blog
A
About on SuperTechFans
W
WeLiveSecurity
The GitHub Blog
The GitHub Blog

The Record from Recorded Future News

Taiwan charges two businessmen over alleged role in Chinese espionage campaign Former UK privacy chief preparing legal action against woman who reported him, minister says Spain arrests alleged supporter of pro-Russian hacktivist groups after FBI tip EU unveils cyber plan to reduce reliance on foreign AI systems Supreme Court allows Texas app law requiring age verification to take effect Britain plans to build autonomous AI 'Cyber Shield' to defend nation Major Japanese telco says cyberattack exposed 12 million emails UK cyber pledge draws only a handful of top firms despite ministerial appeal Canadian spy agency reports hacking three criminal groups in 2025 Attackers vote themselves $20 million in BONK cryptocurrency Major medical device manufacturer notifies nearly 4 million of breach Japanese teen arrested over cyberattack that disrupted anime streaming service Ukrainian media outlets now among 'priority targets' for Russian hackers Spyware found on phone of European Parliament member probing it Launch of UK's National Cyber Action Plan delayed amid Labour leadership crisis Supreme Court decision threatens EU-US data transfer agreement Teen suspect in Scattered Spider hacks is extradited to US US lifts export controls on Anthropic’s frontier cybersecurity AI models Japanese insurer, brewer, manufacturer and telecom disclose cyber breaches CIA chief highlights major shifts in agency’s tech approach House passes kids’ online safety bill, but Senate approval unlikely An intelligence budget 'super user' job is now in the hands of Russ Vought Justices rule that cellphone location histories are protected by the Fourth Amendment US racks up about 400 wins over illegal World Cup streaming sites US posts $10 million reward over Russian cyber campaign targeting Signal, WhatsApp Ukraine to use seized crypto from cybercrime group to buy war bonds Russia accuses Apple of ‘political censorship’ after VK apps removed from App Store Turla group adds more malware to Russia’s espionage efforts against Ukraine Russia used social engineering to breach prominent messaging accounts, Ukraine says FCC votes to toughen rules in bid to better protect undersea cables DHS chief says president has met with potential CISA nominee; agency plans to hire 600 Another Russian dairy company reportedly disrupted by cyberattack Ukraine's state postal operator reports app disruption after cyberattack Russia used Cellebrite phone-hacking tool to crack down on dissident after firm cut off country Three ‘cybercrime as a service’ operations undercut by Microsoft, law enforcement German rail services resume after wireless communications outage Indian auto giant Bajaj Auto hit by ransomware incident Five Eyes agencies sound alarm about AI’s threat to cybersecurity Feds seize alleged cyber-scam infrastructure connected to Southeast Asian company Trump directs federal agencies to protect US data from quantum threats Compromise kids online safety bill unveiled by House leaders, with key omission Two Scattered Spider members plead guilty over cyberattack that crippled London transit Tata Electronics confirms cyberattack after alleged Apple, Tesla documents appear online Suspected cyberattack triggers false emergency alerts across parts of Brazil Police raid malware network tied to Russia's Evil Corp hacker group UK's information commissioner resigns over ‘inappropriate humour’ Bulgaria allowed surveillance tech firm to sell products to repressive regimes, report says Australian sugar producer works to restore operations as ransomware group claims attack Hostile states behind three-quarters of attacks on Britain's critical infrastructure, cyber chief warns EU grants Ukraine access to cybersecurity reserve for major attacks Warner warns of CISA cuts, staffing gaps in letter to acting chief GitHub dismissed security reports on flaws now exploited by supply-chain worm, researchers say India's Telegram ban draws criticism from Durov as company challenges order in court India temporarily blocks Telegram over medical exam cheating fears UK to ban social media access for children under 16 Estonia to quarantine emails sent from Russian .ru domain /maine-turns-off-breach-portal-fake-reports Cyberattack on Russian tech firm Astral disrupts business, government services for week Finland brings charges against cargo ship officers for cutting submarine cables Anthropic says US government forced it to disable cybersecurity AI models Belarus-linked hackers target Gmail accounts of Polish public figures and their families Bankruptcy admin approves settlement fund of $47 million for 23andMe data breach victims Major US surveillance program poised to lapse after legislative deadlock Cyber Force not included in Senate defense policy roadmap British high school sends students home following cyberattack Hacker linked to Void Blizzard faces charges over cyberespionage campaign University of Nottingham confirms cyber incident as Shiny Hunters group claims data theft CISA to require federal agencies to patch some cyber vulnerabilities within 3 days Cyberattack shuts down major Australian sugar mills, disrupting harvest Microsoft ships largest Patch Tuesday on record, with one bug under active attack UK weakens proposed telecoms defenses against Chinese hackers after industry pushback CISA to transform how it assesses cyber vulnerabilities and risks, Andersen says Hackers pose as women seeking romance to spy on Russian soldiers UK gives big tech 3 months to create device controls to block nude images of kids EU unveils tech sovereignty package to cut reliance on US, Chinese suppliers Apple removes Russia’s state-backed messaging app Max from its store Trump considers Palantir exec to lead CISA FTC considers setting aside or modifying $150 million privacy penalty against X Russia seeks to label two anti-Kremlin hacker groups as ‘extremist’ Supreme Court rules FCC fines punishing telecom giants for sharing location data were legal UN food agency investigates breach exposing data of Gaza aid recipients Researcher publishes GitHub token-stealing exploit, blames Microsoft’s disclosure process Five Eyes warn Chinese spies are using job sites to recruit insiders CISA directive for AI executive order to be released this week, Andersen says DHS chief signals efforts to reshape CISA New cyber force would cost up to $11 billion to start, commission says White House unveils pared-back AI executive order Russia claims foreign spy agencies hacked officials' phones Red Hat removes tainted packages after software pipeline compromise Spain arrests suspected hacker for publishing personal data of police, prosecutors and cyber officials Microsoft says it will not pursue security researchers after zero-day backlash Inspector general finds NIST mistakes have made vulnerability database ineffective NSA selects new leads for key cybersecurity posts Afghan finance officials targeted by suspected Pakistani cyberespionage campaign Unknown hacker group targeted Russian maritime universities, diplomats for nearly two years Microsoft calls zero-day releases ‘never justifiable’ as researcher threatens to drop more Cruise giant Carnival confirms data breach affecting nearly 6 million people Canadian man gets 33 years for using social media to coerce US children into sending sexual content Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fans Russia conducting daily attacks on UK 'from seabed to cyberspace,' spy chief warns
South Korea hits Coupang with record $409 million fine over data breach
Alexander Martin · 2026-06-12 · via The Record from Recorded Future News

South Korea's data protection regulator has imposed a record 624.7 billion won ($409 million) fine on Coupang, the country's largest online retailer, after an investigation into a data breach that compromised the personal information of tens of millions of customers.

The Personal Information Protection Commission (PIPC) voted at a plenary session on Wednesday to sanction Coupang and its logistics subsidiary, Coupang Fulfillment Services, concluding that the breach stemmed not from sophisticated hacking but from “deficiencies in basic safety management.”

The penalty is the largest ever issued by the commission for a personal data breach, surpassing the record 134.8 billion won ($88.8 million) fine levied against SK Telecom earlier this year.

The breach first became public in November when Coupang said approximately 33.7 million customer accounts had been compromised — equivalent to around 65% of South Korea's entire population.

The PIPC's investigation confirmed that 33,222,472 registered members were affected, but also identified a category of victims the company had not previously acknowledged: at least 4,338,368 non-members whose names, phone numbers and addresses had been stored as delivery recipients by other customers, and who had no way of knowing their data was held by Coupang at all.

The regulator said it had formally urged the company four times, in December 2025 and January 2026, to notify those non-member victims. Coupang failed to do so each time.

The perpetrator, an unnamed Chinese national and former employee who left the company at the end of 2024, had himself developed Coupang's alternative authentication system while still employed and had stolen the signing key that underpinned it before he left.

He began with a test run in January 2025, using the stolen key on 95 accounts. From April, he systematically cycled through member ID numbers, hitting Coupang's delivery address page approximately 148 million times over two months to harvest names, phone numbers and addresses.

He then turned to the account edit page, accessing it nearly 35 million times between June and October to collect names and email addresses. A final phase added apartment entry codes and order histories.

The former employee later reassembled the data into individual customer profiles and sent two extortion emails — to members directly, and to Coupang — the second claiming to hold 120 million addresses, 560 million order records and more than 33 million email addresses, with sample data that included sensitive purchase histories.

The PIPC found that throughout the seven-month attack, traffic on the affected pages had spiked to many times their normal levels, and that tens of millions of access attempts had used non-existent member IDs. Coupang detected none of it until a customer forwarded one of the extortion emails.

The commission referred Coupang for criminal prosecution over the destruction of evidence. Regulators had ordered the preservation of access logs on November 21 — the day after Coupang filed its initial breach report, but six days later, the company manually deleted approximately six months of web access logs.

Coupang also failed to pause its routine policy of automatically deleting logs after six months, allowing further records to be wiped. Roughly 13% of the logs covering the attack period were lost, making it impossible to identify all affected victims.

Police separately recovered a smashed laptop from a river during the investigation — a MacBook Air the alleged perpetrator had weighted with bricks in an apparent attempt to destroy evidence — which forensic teams from Mandiant, Palo Alto Networks and Ernst & Young were able to document before it was handed to authorities.

Additional violations uncovered

The investigation, expanded in January 2026 following parliamentary hearings and media coverage, unearthed several violations separate from the breach itself.

Through its “Coupang Partners” affiliate marketing program, the company had covertly collected the third-party browsing activity of about 11.2 million users — URLs visited, app names, timestamps, IP addresses and device identifiers — without consent, linking the data to individual member accounts.

Coupang argued the information did not constitute personal data; the regulator disagreed, noting it was stored alongside member ID numbers and device identifiers. The commission imposed a further 201.1 billion won ($132 million) fine for this violation alone. Coupang deleted the records in April 2026 after investigators confronted the company.

Some advertising partners in the same program had also been running so-called “hijack ads” — redirecting users to Coupang without their consent, in some cases by covering the screen with a transparent button so that clicking anywhere triggered a redirect.

Coupang had been aware of the practice since 2022 but had failed to terminate the accounts of partners who met its own threshold for removal, and had in some cases paid them higher commissions after they were caught, the investigation found.

Coupang Fulfillment Services, the logistics subsidiary, was also found to have secretly added 71 police press-corps journalists — none of whom had ever worked at a Coupang warehouse — to an internal employment blacklist, citing “spreading false information,” without their knowledge or consent.

The subsidiary was also found to have submitted employees' weight data, collected for health management purposes, as evidence in an industrial accident lawsuit, without a separate legal basis.

The commission additionally found that when Coupang conducted its own internal investigation of the hacker in December 2025 — drawing criticism from lawmakers and government officials at the time — it had excluded its own chief privacy officer from the process entirely. Regulators treated this not as an internal communication failure but as a substantive violation of the legally mandated independence of the chief privacy officer’s role.

Acting CEO Harold Rogers, who was questioned by police in January as a suspect in an obstruction inquiry, had pledged full cooperation with authorities. The company said it regretted the PIPC's decision and reserved the right to challenge it through legal proceedings once it receives the formal written ruling.

Dispute mediation proceedings covering more than 2,500 individual and group claimants, which had been paused during the investigation, are set to resume on June 12. A class-action lawsuit in the United States also remains pending.

Coupang's shares have fallen around 35% since the start of the year. The company has warned that revenue growth could slow, and faces ongoing scrutiny from South Korean lawmakers over both the breach and its response to it.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

Recorded Future

No previous article

No new articles

Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow at the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal on: AlexanderMartin.79