Management Lapses Blamed for Massive Coupang Data Leak, South Korea Says

South Korean authorities have concluded that last year’s massive data breach at Coupang was caused by internal management failures rather than a sophisticated cyberattack, according to initial findings from a government probe announced Tuesday. The Ministry of Science and ICT said a former engineer exploited weaknesses in the company’s authentication system from April through November, accessing user accounts without proper login procedures. Officials stated the breach exposed personal information, including names and phone numbers, of approximately 33.7 million customers, describing the incident as a failure of oversight and security controls rather than an advanced external intrusion.

Investigators said the former employee, who had helped design parts of Coupang’s authentication system, retained an internal signing key after leaving the company. Authorities allege the key was used to generate fake login tokens, allowing large-scale unauthorized access. The ministry criticized Coupang for not invalidating the developer’s credentials promptly and for lacking systems to detect abnormal electronic access. It also accused the firm of attempting to hinder the investigation by deleting some data despite orders to preserve evidence, and referred the matter to police for further investigation. Justice Minister Jung Sung-ho previously confirmed an arrest warrant had been issued for a former Chinese national employee linked to the case.

Coupang said it would strengthen safeguards and prevent recurrence, noting that while a program generated around 140 million queries, there was no evidence of payment or login data exposure or secondary misuse. The company maintained that data from roughly 3,000 affected accounts had since been deleted. However, the ministry said Coupang violated information-network laws by failing to report the breach within the required 24 hours, as notification came more than 53 hours after internal detection. Authorities plan to impose an administrative fine and said separate investigations by police and the personal data watchdog are ongoing, adding to mounting regulatory and political pressure on the U.S.-listed e-commerce giant.

Pic Courtesy: google/ images are subject to copyright