Internal Security Failures Exposed: South Korean Regulators Pin Coupang Data Breach on Company Weaknesses
Another day, another data breach—but this time, regulators aren't mincing words. South Korea's financial watchdog has delivered a blunt verdict: Coupang's massive customer data leak stems directly from its own internal security failures.
The Blame Game Ends Here
Forget sophisticated external hackers. The investigation points the finger squarely at the company's doorstep. Lax protocols, insufficient safeguards, and overlooked vulnerabilities created the perfect storm. It's a classic case of the castle walls crumbling from within.
A Costly Oversight
When a titan of e-commerce stumbles on basic digital hygiene, the fallout is never just technical. Consumer trust evaporates. Regulatory scrutiny intensifies. And the financial hit? Let's just say it makes for a fantastic case study in how not to manage operational risk—perfect for those finance bros who still think cybersecurity is just an IT expense.
The real breach wasn't just in the servers; it was in the priorities. In an era where data is the new currency, protecting it shouldn't be an afterthought.
Probe identifies authentication failures
The Ministry of Science and ICT said early in January 2025 that an individual was trying to gain unauthorized access into Coupang’s systems by exploiting usability issues related to authentication. Investigators noted this occurred prior to any indication of a breach publicly occurring.
“The attacker exploited user authentication vulnerabilities to access user accounts without a proper login and caused large-scale unauthorised information leaks,” the ministry said.
They have been able to determine that the individual was able to obtain unauthorized access to users’ accounts via the exploitation of the vulnerabilities in the authentication process, which resulted in the breach of confidential information of about 33.7 million customers.
The ministry determined that the data breach followed the misuse of an internal employee’s security signing key for the purposes of generating counterfeit authentication tokens by an employee who left in November 2024.
It said the staff member had designed and developed parts of Coupang’s user verification, and the company failed to provide a level of protection against this employee being able to obtain access to these customers’ confidential account data.
“The verification system for forged or altered electronic access cards was inadequate, making it difficult to detect or block the attacks in advance,” the ministry said.
In December 2025, Coupang confirmed that it will compensate customers affected by a recent user data breach, pledging over $1.17 billion in vouchers. The company emphasized that the breach only affected customer names, email addresses, some order histories, and home addresses, not payment and login details.
Regulators demand Coupang system upgrades
Authorities have ordered Coupang to implement advanced technology that enables the detection and blocking of electronic access cards received outside of the standard issuance process.
“The Ministry of the Interior and Safety has directed Coupang to install detection and blocking tools for electronic access cards that were not issued through the regular issuance process,” said the ministry.
The police and the Personal Data Authority have undertaken their independent investigations into the alleged incident.
The Ministry of Interior also accused Coupang of violating information network laws by failing to report the incident within the required 24-hour period. The regulatory body claimed that the company’s knowledge of the intrusion occurred on November 17, but they did not report anything until November 19.
The ministry is currently determining whether to impose an administrative penalty of up to 30 million won ($20,596). The ministry has referred the allegation of spoliation of data to the appropriate division for review. Coupang has not made any public statements regarding the outcome of the investigation.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
