Coupang data breach affected 33.7 million customers, probe finds
Former engineer accused of exploiting authentication vulnerabilities
Police and data watchdog continue separate investigations into data leak
By Heekyong Yang and Hyunjoo Jin
SEOUL, Feb 10 (Reuters) - South Korean authorities said on Tuesday that e-commerce giant Coupang needs to fix vulnerabilities in its security systems that they blamed for causing a massive data leak at the company.
Announcing the first findings of a government-led probe into the incident, the Science Ministry blamed the leak on a former Coupang engineer, who it said was aware of vulnerabilities in the authentication system, citing records that he attempted to gain access in January, 2025, three months before the data breach in April that lasted until November.
Coupang Korea, operated by U.S.-listed Coupang Inc CPNG.N, suffered one of South Korea's worst data breaches that has increased trade friction with Washington after American officials expressed concern over the treatment of U.S. tech companies.
The ministry said the probe confirmed that personal data of about 33.7 million customers was leaked.
"The attacker exploited user authentication vulnerabilities to access user accounts without a proper login and caused large-scale unauthorised information leaks," the ministry said.
The ministry accused the former employee of stealing an internal security key, known as a signing key, which it said was used to generate fake login tokens and gain unauthorised access to customer accounts.
It said the former staff engineer had designed and developed parts of Coupang’s user authentication system, and that the company failed to detect the forged login and rotate signing keys after the developer left.
"The verification system for forged or altered electronic access cards was inadequate, making it difficult to detect or block the attacks in advance," the ministry said.
"Coupang needs to introduce a detection and blocking system for electronic access cards that do not go through the normal issuance process," it said.
Separate investigations of the data leak by police and the country’s personal data watchdog are continuing.
The ministry accused Coupang of violating the information network law by delaying reporting the breach beyond a required 24-hour period, adding it plans to impose an administrative fine of up to 30 million won ($20,596) under the law. Coupang became aware of the data breach at 4:00 pm on November 17 and reported it to authorities at 9:35 pm on November 19, the ministry said.
It also accused Coupang of failing to comply with a data preservation order made to analyse the cause of the data leak, and referred the matter to authorities for investigation.
Coupang could not immediately be reached for comment.
(Reporting by Heekyong Yang and Hyunjoo Jin, Additional reporting by Heejin Kim Editing by Ed Davies)
((Heekyong.Yang@thomsonreuters.com;))
Comments