Coupang Hit by Major Insider Data Breach
South Korean e-commerce giant Coupang disclosed a massive data breach after a former employee illegally accessed over 33 million user accounts. The incident highlights the growing operational and reputational risks in retail tech. For enterprise vendors, it underscores that robust security and auditability are non-negotiable platform features.
The breach was perpetrated by a former Chinese developer who had worked on Coupang's authentication systems. Exploiting weak privilege controls, the ex-employee used a valid authentication token that should have been revoked upon their departure to remotely access and extract user data over a period of five months. Unauthorized access began on June 24, 2025, but went undetected by Coupang's security operations until November 18, 2025. The exposed data included customer names, email addresses, phone numbers, and shipping addresses, but did not include payment or credit card information. The incident came to light only after the suspect contacted Coupang in an extortion attempt. This event ranks as South Korea's most severe data breach in over a decade, affecting nearly two-thirds of the country's population. The investigation has since expanded to include at least 200,000 users in Taiwan, as it was discovered that identical backup encryption keys were used for both the Korean and Taiwanese user databases. In response, Coupang's co-CEO resigned, and the company has engaged multiple global cybersecurity firms, including Mandiant and Palo Alto Networks, to conduct a forensic investigation. The company has also announced a 1.69 trillion won (approximately $1.2 billion USD) compensation plan, offering purchase vouchers to all 33.7 million affected users. The incident has drawn sharp criticism regarding Coupang's security investments, which reportedly amounted to only 0.2% of its revenue, a figure that contrasts sharply with global e-commerce leaders like Amazon. South Korean regulators have launched a formal probe and are considering record fines, with the Personal Information Protection Commission (PIPC) investigating potential violations of data protection laws. The breach highlights critical flaws in access management, specifically the failure to expire authentication keys after an employee's departure. Experts note that insider threats are notoriously difficult to detect as they involve legitimate, albeit abused, system access, underscoring the need for robust, continuous monitoring and a Zero-Trust security architecture.
