South Korea publishes investigation results into Coupang data breach

A government investigation into South Korean e-commerce giant Coupang has concluded that the company’s lax management of its user authentication system was instrumental in the massive data theft incident, which exposed private information from more than 33 million customers.

The tentative results of the joint public-private investigation were announced by the Ministry of Science and ICT on Tuesday.

The inquiry, which included a parliamentary hearing of Coupang CEO Daejun Park and Chief Information Security Officer (CISO) Brett Mattis, concluded that 33.67 million users’ names and email addresses were leaked by a former Chinese employee, who was in charge of developing the company’s backup authentication system.

The company is now facing potential financial penalties for its delayed disclosure of the cyber incident: Authorities were notified of the breach on November 19, two days after Coupang first became aware of it and five months after the incident occurred.

Officials have called for a probe into the company’s alleged failure to comply with directives to preserve data for forensic examination, the Korean Broadcasting System reports.

South Korea’s Personal Information Protection Act predicts fines of up to three percent of annual revenue for violating data protection regulations, meaning that Coupang’s penalty could exceed US$1 billion. Meanwhile, a growing number of the company’s U.S. investors are taking legal action against the South Korean government, arguing that the government’s investigation is discriminatory.

Electronic access pass identified as key weakness

According to a breakdown of the investigation published by Asia Business Daily, Coupang’s former backend engineer became aware of vulnerabilities in the user authentication framework and key management system and began exploiting vulnerabilities in the company’s gateway server system three months later, on April 14th, 2025.

The company’s gateway server was designed to restrict access exclusively to users who had obtained a legitimate electronic access pass through proper authentication protocols, yet investigators discovered that the necessary verification mechanisms were not in place.

The signing keys maintained by Coupang – critical tools used to generate electronic access passes – should have been subject to strict, systematic oversight. According to standard protocols, when a staff member departs the company, key rotation procedures must be executed to render the associated signing key unusable

The investigation, however, revealed that the company had inadequate systems and procedures for this purpose.

Following their departure from the company, the attacker used a stolen signing key and proprietary information obtained during their employment to forge and manipulate electronic access passes. This allowed the attacker to circumvent Coupang’s authentication infrastructure without completing standard login procedures, conducting preliminary tests.

After these initial tests confirmed that user accounts could be compromised, the attacker deployed automated web-crawling tools on November 8th of last year to extract massive quantities of data. Investigators determined that 2,313 Internet Protocol (IP) addresses were used throughout this process.

The investigation team reported that forensic examination of the attacker’s computer storage devices revealed attack scripts capable of harvesting information and transmitting it to external servers. Analysis also confirmed the attacker had developed functionality to transfer stolen data to an overseas cloud server after gaining unauthorized access to user accounts through counterfeit “electronic access passes.”

However, investigators noted that no records remain to verify whether such data transfers actually occurred.

In its conclusion, the investigation team directs Coupang to bolster controls over authentication credential management and use, upgrade its monitoring systems to detect suspicious login activity, and conduct routine audits of its compliance with security protocols.

Coupang should introduce a detection and blocking system for electronic access passes that have not gone through a legitimate issuance process, and must also “prepare fundamental remediation measures for the vulnerabilities identified in penetration testing.”

“Under its own internal rules, Coupang stipulates that signing keys must be stored only in the ‘key management system’ and must not be stored on developers’ PCs (such as hard-coded in source code), but a Coupang developer who is currently employed is storing a signing key on a laptop, creating a risk of key leakage and misuse,” the investigators say.

Additionally, during the examination of Coupang’s Information Security Management System and Personal Information Management System (ISMS-P) certification, the investigation team found that the company has not segregated development and production environments and continues to grant developers access privileges to the operational “key management system.”

“Coupang must reinforce its key management and oversight framework, refine operational standards, and implement ongoing compliance reviews,” the investigation notes. “The company must also improve monitoring capabilities to identify anomalous access patterns and establish log retention and management protocols appropriate for incident analysis and damage assessment.”

Article Topics

authentication  |  data privacy  |  identity access management (IAM)  |  South Korea