South Korea Says Coupang Data Breach Was Caused by Management Failures

SEOUL — Feb 10 (GeokHub) - South Korean authorities said on Tuesday that a massive data breach at e-commerce giant Coupang was the result of internal management failures rather than a sophisticated cyberattack, urging the company to urgently address security weaknesses.

In preliminary findings from a government-led investigation, officials said a former Coupang engineer exploited known flaws in the company’s authentication system to gain unauthorized access to customer data. The breach began in April and went undetected until November, after an earlier failed attempt in January.

Insider Exploited Security Gaps

The Science Ministry said the former employee had direct knowledge of vulnerabilities within Coupang’s user authentication process and used that access to bypass normal login procedures.

“It was more a management issue than an advanced hacking operation,” a senior cybersecurity official said, pointing to weak oversight and inadequate controls over internal security credentials.

Authorities said the attacker generated fake login tokens by using an internal signing key that had not been disabled after the employee left the company, allowing repeated unauthorized access to user accounts.

Millions of Customers Affected

The breach exposed personal information of approximately 33.7 million customers, including names and phone numbers. Officials said there was no indication that payment details or login credentials were compromised.

Coupang said a software program created by the former employee generated roughly 140 million automated queries, but maintained there was no evidence that any third party accessed or viewed the data. The company added that data associated with around 3,000 user accounts was later deleted and that no secondary harm had been identified.

Authorities Accuse Coupang of Obstructing Probe

The ministry also accused Coupang of attempting to limit the investigation by deleting certain data, despite a government order requiring information preservation. Police have been asked to examine whether the company obstructed the probe.

Officials said Coupang failed to immediately revoke the former engineer’s internal access credentials, calling the lapse a serious security flaw. They urged the company to implement systems that detect and block unauthorized digital access keys.

Legal and Regulatory Pressure Mounts

A police investigation is ongoing, and the country’s data protection authority is also reviewing the incident. An arrest warrant was issued late last year for a former Coupang employee of Chinese nationality in connection with the breach.

Separately, authorities said Coupang violated information-network laws by failing to report the breach within the required 24-hour window. The company reported the incident more than two days after it was first identified, exposing it to potential administrative fines.

Coupang said it is strengthening safeguards to prevent a recurrence as regulatory scrutiny over the incident continues.