Cyber Incident Victim: Coupang Inc.

In January a former Coupang engineer who had helped design parts of the company’s user authentication system attempted to gain unauthorized access to Coupang’s internal systems, according to the South Korean Ministry of Science and ICT. The same individual, who was aware of existing flaws in the authentication process, successfully breached the system in April by exploiting vulnerabilities that allowed login without proper credentials. Using a signing key that he had taken when he left the company in November 2024, the former employee generated fake login tokens that enabled him to access customer accounts without detection. The breach persisted uninterrupted from April until November, during which time a software program he authored issued approximately 140 million queries against Coupang’s databases. The Ministry reported that the intrusion exposed personal data belonging to roughly 33.7 million customers, specifically names and phone numbers, while payment information and login credentials were not compromised. Coupang later stated that data retained from around 3,000 user accounts was subsequently deleted and that there was no evidence any secondary harm had resulted from the exposure.

Coupang’s internal security team was notified of the incident at 4:00 p.m. local time on November 17, but the company did not inform regulatory authorities until 9:35 p.m. on November 19, a delay exceeding fifty‑three hours that the Ministry said violated the information‑network law’s 24‑hour reporting requirement. The Ministry announced plans to impose an administrative fine of up to 30 million won (approximately $20,596) for this violation and urged Coupang to implement a detection and blocking system for electronic access cards that are not issued through normal procedures. In response, Coupang pledged to take all necessary steps to prevent further harm and to continue strengthening its safeguards against recurrence. The police investigation into the breach remains ongoing, with an arrest warrant having been issued in December for the Chinese national who formerly worked at Coupang, and the personal data watchdog is also conducting its own inquiry. Additionally, Coupang faces a separate tax audit in South Korea and a legal complaint filed by the nation’s parliament against its founder and former executives for failing to attend parliamentary hearings the previous year. The Ministry noted that it could not confirm whether more than one individual participated in the breach pending the outcome of the police investigation.