South Korean authorities stated on Tuesday that e-commerce giant Coupang must rectify vulnerabilities in its security system, which officials believe led to a significant data breach at the company.
The Ministry of Science and ICT released preliminary findings from a government-led investigation, indicating the data leak was perpetrated by a former Coupang engineer who was aware of weaknesses in the authentication system. Investigation records show the former employee attempted to illegally access the system in January 2025. The data breach itself occurred in April and persisted until November.
Coupang's South Korean operation, part of the US-listed Coupang, Inc., experienced one of the most severe data breaches in the country's history. This incident has intensified trade friction between South Korea and the United States, following expressions of concern from US officials regarding the treatment of American tech firms.
The Ministry confirmed that personal information belonging to approximately 33.7 million customers was compromised.
The Ministry stated, "The attacker exploited a vulnerability in user identity authentication to access user accounts without proper login procedures, resulting in a large-scale illegal leak of information."
Authorities accused the former employee of stealing an internal security key, known as a signature key, and using it to generate fraudulent login tokens for unauthorized access to customer accounts.
According to the announcement, the former engineer had participated in designing and developing parts of Coupang's user authentication system. The company failed to detect the fraudulent log-in attempts after the employee's departure and did not replace the signature key in a timely manner.
The Ministry pointed out, "The verification mechanism for detecting forged or manipulated electronic access credentials was deficient, making it difficult to detect or intercept the attack in advance."
"Coupang needs to implement a system for detecting and blocking electronic access credentials that are issued outside of normal procedures."
Separate investigations into the data breach by the police and South Korea's Personal Information Protection Commission are still ongoing.
The Ministry accused Coupang of violating information network laws by failing to report the data breach within the mandated 24-hour period. It announced intentions to impose an administrative fine of up to 30 million won (approximately $20,596). The notice revealed that Coupang discovered the breach at 4:00 PM on November 17 but did not report it to authorities until 9:35 PM on November 19.
The Ministry also accused Coupang of failing to comply with an order to preserve data for cause analysis and has referred this matter to the relevant authorities for further investigation.
Coupang could not immediately be reached for comment.
Comments